From 4649ecde588e7b9b51b5050d84876902f415744e Mon Sep 17 00:00:00 2001 From: Boston Dell-Vandenberg Date: Wed, 11 May 2016 14:16:16 -0400 Subject: [PATCH 001/292] Add https redirect on multisite subdomains --- roles/wordpress-setup/templates/wordpress-site.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index ce4c7c8f8d..c94d05cd7c 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -81,7 +81,7 @@ server { server { listen 80; - server_name {{ item.value.site_hosts | reverse_www(enabled=item.value.www_redirect | default(true)) | join(' ') }}; + server_name {{ item.value.site_hosts | reverse_www(enabled=item.value.www_redirect | default(true)) | join(' ') }} {% if item.value.multisite.subdomains | default(false) %} *.{{ item.value.site_hosts | join(' *.') }} {% endif %}; {% if item.value.ssl.provider | default('manual') == 'letsencrypt' -%} include acme-challenge-location.conf; From 12935308604c434cf1114209c71d2f97e97e35ab Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Mon, 30 May 2016 19:51:47 -0400 Subject: [PATCH 002/292] Fix #589 - Support unicode hosts Treat all string literals as unicode to support hosts/domain with unicode characters. --- lib/trellis/plugins/filter/filters.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/trellis/plugins/filter/filters.py b/lib/trellis/plugins/filter/filters.py index b76497c453..a242736c0f 100644 --- a/lib/trellis/plugins/filter/filters.py +++ b/lib/trellis/plugins/filter/filters.py @@ -1,5 +1,5 @@ # Make coding more python3-ish -from __future__ import (absolute_import, division, print_function) +from __future__ import (absolute_import, division, print_function, unicode_literals) __metaclass__ = type import types From 6c0efda7970159358965092fb3cbfad2fe436b8f Mon Sep 17 00:00:00 2001 From: Primoz Cigler Date: Sat, 4 Jun 2016 23:13:11 +0200 Subject: [PATCH 003/292] Fix tags in the dev.yml. (#591) Tags for mail. mailhog and ssmtp where not delimited with a comma in dev.yml, requiring to use something like --tags 'mailhog mail' in CLI. Fixed the same way as the tags in server.yml. --- dev.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dev.yml b/dev.yml index b35ef3896f..0eaaacc6fa 100644 --- a/dev.yml +++ b/dev.yml @@ -11,8 +11,8 @@ - { role: ntp } - { role: sshd, tags: [sshd] } - { role: mariadb, tags: [mariadb] } - - { role: ssmtp, tags: [ssmtp mail] } - - { role: mailhog, tags: [mailhog mail] } + - { role: ssmtp, tags: [ssmtp, mail] } + - { role: mailhog, tags: [mailhog, mail] } - { role: php, tags: [php] } - { role: memcached, tags: [memcached] } - { role: nginx, tags: [nginx] } From 0675ca1b924e4239de058d9806d910be2e670ca3 Mon Sep 17 00:00:00 2001 From: Michael Silber Date: Sat, 4 Jun 2016 20:40:51 -0400 Subject: [PATCH 004/292] Reload nginx after renew Let's Encrypt certificate --- roles/letsencrypt/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/letsencrypt/tasks/main.yml b/roles/letsencrypt/tasks/main.yml index 0abf592760..7f2902ea25 100644 --- a/roles/letsencrypt/tasks/main.yml +++ b/roles/letsencrypt/tasks/main.yml @@ -7,7 +7,7 @@ cron_file: letsencrypt-certificate-renewal name: letsencrypt certificate renewal user: root - job: cd {{ acme_tiny_data_directory }} && ./renew-certs.py + job: cd {{ acme_tiny_data_directory }} && ./renew-certs.py && service nginx reload day: "{{ letsencrypt_cronjob_daysofmonth }}" hour: 4 minute: 30 From 3bc7d96ccc00f6a05d666a3fde220dcf59139f86 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sat, 11 Jun 2016 17:08:54 -0700 Subject: [PATCH 005/292] Fix #468 - Use curl to install wp-cli tab completions --- CHANGELOG.md | 1 + roles/wp-cli/defaults/main.yml | 7 ++++--- roles/wp-cli/tasks/main.yml | 15 +++++++++++---- 3 files changed, 16 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ccdf2b892a..42611353df 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Fix #468 - Use curl to install wp-cli tab completions ([#593](https://github.com/roots/trellis/pull/593)) * Require Ansible 2.0.2 and remove deploy_helper ([#579](https://github.com/roots/trellis/pull/579)) * Add connection-related cli options to ping command ([#578](https://github.com/roots/trellis/pull/578)) * Wrap my.cnf password in quotes ([#577](https://github.com/roots/trellis/pull/577)) diff --git a/roles/wp-cli/defaults/main.yml b/roles/wp-cli/defaults/main.yml index 60828899ac..7fb8e2df3c 100644 --- a/roles/wp-cli/defaults/main.yml +++ b/roles/wp-cli/defaults/main.yml @@ -1,4 +1,5 @@ +wp_cli_version: 0.23.1 wp_cli_bin_path: /usr/bin/wp -wp_cli_phar_url: "https://github.com/wp-cli/wp-cli/releases/download/v0.23.1/wp-cli-0.23.1.phar" -wp_cli_completion_url: "https://raw.githubusercontent.com/wp-cli/wp-cli/master/utils/wp-completion.bash" -wp_cli_completion_path: /etc/bash_completion.d +wp_cli_phar_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar" +wp_cli_completion_url: "https://raw.githubusercontent.com/wp-cli/wp-cli/v{{ wp_cli_version }}/utils/wp-completion.bash" +wp_cli_completion_path: /etc/bash_completion.d/wp-completion.bash diff --git a/roles/wp-cli/tasks/main.yml b/roles/wp-cli/tasks/main.yml index 4021a1e3bc..d4bfadd4f6 100644 --- a/roles/wp-cli/tasks/main.yml +++ b/roles/wp-cli/tasks/main.yml @@ -5,8 +5,15 @@ dest: "{{ wp_cli_bin_path }}" mode: 0755 +- name: Retrieve WP-CLI tab completions + command: curl -4Ls {{ wp_cli_completion_url }} -o /tmp/wp-completion-{{ wp_cli_version }}.bash + args: + creates: /tmp/wp-completion-{{ wp_cli_version }}.bash + warn: false + - name: Install WP-CLI tab completions - get_url: - url: "{{ wp_cli_completion_url }}" - dest: "{{ wp_cli_completion_path }}" - mode: 0644 + command: rsync -c --chmod=0644 --info=name /tmp/wp-completion-{{ wp_cli_version }}.bash {{ wp_cli_completion_path }} + args: + warn: false + register: wp_cli_completion + changed_when: wp_cli_completion.stdout == "wp-completion-{{ wp_cli_version }}.bash" From 7fb34093f01f420ff27c09d8ab7f4e40707b5c9f Mon Sep 17 00:00:00 2001 From: Paul Tibbetts Date: Mon, 13 Jun 2016 14:37:08 +0100 Subject: [PATCH 006/292] Updated contributions link in readme to point to roots/guidelines repo --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f57451df60..508e9bea4d 100644 --- a/README.md +++ b/README.md @@ -92,7 +92,7 @@ A base Ubuntu 14.04 server is required for setting up remote servers. ## Contributing -Contributions are welcome from everyone. We have [contributing guidelines](CONTRIBUTING.md) to help you get started. +Contributions are welcome from everyone. We have [contributing guidelines](https://github.com/roots/guidelines/blob/master/CONTRIBUTING.md) to help you get started. ## Community From 726644bc6925a8d0cd45975cb6975e0f4b86c6e4 Mon Sep 17 00:00:00 2001 From: Allan Chau Date: Thu, 16 Jun 2016 19:19:25 +0930 Subject: [PATCH 007/292] Update includeSubDomains captialization Fix for Warning: Non-standard capitalization of includeSubDomains --- roles/wordpress-setup/templates/https.conf.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/wordpress-setup/templates/https.conf.j2 b/roles/wordpress-setup/templates/https.conf.j2 index edc908c7a8..e975d2034e 100644 --- a/roles/wordpress-setup/templates/https.conf.j2 +++ b/roles/wordpress-setup/templates/https.conf.j2 @@ -5,7 +5,7 @@ ssl_dhparam /etc/nginx/ssl/dhparams.pem; ssl_buffer_size 1400; # 1400 bytes to fit in one MTU {% set hsts_max_age = item.value.ssl.hsts_max_age | default(nginx_hsts_max_age) %} -{% set hsts_include_subdomains = item.value.ssl.hsts_include_subdomains | default(nginx_hsts_include_subdomains) | ternary('includeSubdomains', None) %} +{% set hsts_include_subdomains = item.value.ssl.hsts_include_subdomains | default(nginx_hsts_include_subdomains) | ternary('includeSubDomains', None) %} {% set hsts_preload = item.value.ssl.hsts_preload | default(nginx_hsts_preload) | ternary('preload', None) %} add_header Strict-Transport-Security "max-age={{ [hsts_max_age, hsts_include_subdomains, hsts_preload] | reject('none') | join('; ') }}"; @@ -19,4 +19,4 @@ add_header Strict-Transport-Security "max-age={{ [hsts_max_age, hsts_include_sub ssl_certificate {{ nginx_path }}/ssl/{{ item.key }}.cert; ssl_trusted_certificate {{ nginx_path }}/ssl/{{ item.key }}.cert; ssl_certificate_key {{ nginx_path }}/ssl/{{ item.key }}.key; -{%- endif -%} \ No newline at end of file +{%- endif -%} From f48cea7d2a2f30ec7075f780d2b48a0a69827338 Mon Sep 17 00:00:00 2001 From: Michael Silber Date: Thu, 23 Jun 2016 23:39:54 -0400 Subject: [PATCH 008/292] Bump Vagrant version in docs --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 508e9bea4d..a99c6453ea 100644 --- a/README.md +++ b/README.md @@ -33,7 +33,7 @@ Make sure all dependencies have been installed before moving on: * [Ansible](http://docs.ansible.com/ansible/intro_installation.html#latest-releases-via-pip) 2.0.2 * [Virtualbox](https://www.virtualbox.org/wiki/Downloads) >= 4.3.10 -* [Vagrant](http://www.vagrantup.com/downloads.html) >= 1.5.4 +* [Vagrant](http://www.vagrantup.com/downloads.html) <= 1.8.1 * [vagrant-bindfs](https://github.com/gael-ian/vagrant-bindfs#installation) >= 0.3.1 (Windows users may skip this) * [vagrant-hostmanager](https://github.com/smdahlen/vagrant-hostmanager#installation) From 8a1a83f8f871da4a1ea3667890aba34ad59580e5 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 10 May 2016 20:39:39 -0400 Subject: [PATCH 009/292] Vagrant post up message --- CHANGELOG.md | 1 + Vagrantfile | 11 +++++++++++ 2 files changed, 12 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 42611353df..9c5ac8e227 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Add Vagrant post up message ([#602](https://github.com/roots/trellis/pull/602)) * Fix #468 - Use curl to install wp-cli tab completions ([#593](https://github.com/roots/trellis/pull/593)) * Require Ansible 2.0.2 and remove deploy_helper ([#579](https://github.com/roots/trellis/pull/579)) * Add connection-related cli options to ping command ([#578](https://github.com/roots/trellis/pull/578)) diff --git a/Vagrantfile b/Vagrantfile index efa3acee03..9e2fa6d4e5 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -40,6 +40,8 @@ Vagrant.configure('2') do |config| config.vm.box = 'ubuntu/trusty64' config.ssh.forward_agent = true + config.vm.post_up_message = post_up_message + # Fix for: "stdin: is not a tty" # https://github.com/mitchellh/vagrant/issues/1673#issuecomment-28288042 config.ssh.shell = %{bash -c 'BASH_ENV=/etc/profile exec bash'} @@ -136,6 +138,15 @@ def nfs_path(site_name) "/vagrant-nfs-#{site_name}" end +def post_up_message + msg = 'Your Trellis Vagrant box is ready to use!' + msg << "\n* Composer and WP-CLI commands need to be run on the virtual machine." + msg << "\n* You can SSH into the machine with `vagrant ssh`." + msg << "\n* Then navigate to your WordPress sites at `/srv/www`." + + msg +end + def remote_site_path(site_name) "/srv/www/#{site_name}/current" end From a21835cef540b463f4d60eafc24f6171983fae2b Mon Sep 17 00:00:00 2001 From: Paul Tibbetts Date: Sun, 26 Jun 2016 22:29:09 +0100 Subject: [PATCH 010/292] adds "I've read the guidelines" to the GitHub issue template --- .github/ISSUE_TEMPLATE.md | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/ISSUE_TEMPLATE.md b/.github/ISSUE_TEMPLATE.md index ec6ac6af71..abcad7cda5 100644 --- a/.github/ISSUE_TEMPLATE.md +++ b/.github/ISSUE_TEMPLATE.md @@ -1,5 +1,6 @@ ## Submit a feature request or bug report +- [ ] I've read the [guidelines for Contributing to Roots Projects](https://github.com/roots/guidelines/blob/master/CONTRIBUTING.md) - [ ] This is a feature request - [ ] This is a bug report - [ ] This request isn't a duplicate of an [existing issue](https://github.com/roots/trellis/issues) From 9aec54aeede8cb6ae32cecff96c5d79a4be550d6 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Thu, 30 Jun 2016 14:14:33 -0600 Subject: [PATCH 011/292] Update per-item callback names for Ansible 2.0.2.0 --- lib/trellis/plugins/callback/output.py | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/lib/trellis/plugins/callback/output.py b/lib/trellis/plugins/callback/output.py index 3839606336..d566b69888 100644 --- a/lib/trellis/plugins/callback/output.py +++ b/lib/trellis/plugins/callback/output.py @@ -63,18 +63,18 @@ def v2_playbook_on_play_start(self, play): if 'vagrant_version' in play_vars: self.vagrant_version = play_vars['vagrant_version'] - def v2_playbook_item_on_ok(self, result): + def v2_runner_item_on_ok(self, result): output.display_item(self, result) output.replace_item_with_key(self, result) - super(CallbackModule, self).v2_playbook_item_on_ok(result) + super(CallbackModule, self).v2_runner_item_on_ok(result) - def v2_playbook_item_on_failed(self, result): + def v2_runner_item_on_failed(self, result): self.task_failed = True output.display_item(self, result) output.replace_item_with_key(self, result) - super(CallbackModule, self).v2_playbook_item_on_failed(result) + super(CallbackModule, self).v2_runner_item_on_failed(result) - def v2_playbook_item_on_skipped(self, result): + def v2_runner_item_on_skipped(self, result): output.display_item(self, result) output.replace_item_with_key(self, result) - super(CallbackModule, self).v2_playbook_item_on_skipped(result) + super(CallbackModule, self).v2_runner_item_on_skipped(result) From 52e15931ae7540d4886a244fb57ec208b279bac3 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Thu, 30 Jun 2016 14:39:27 -0600 Subject: [PATCH 012/292] Support complex Ansible version comparisons --- roles/common/defaults/main.yml | 7 ++++++- roles/common/tasks/main.yml | 13 ++++++++----- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index 2f60766019..95ddcbec74 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -1,2 +1,7 @@ -minimum_ansible_version: 2.0.2.0 +ansible_requirements: + - version: 2.0.2.0 + operator: '>=' + - version: 2.1.0.0 + operator: '!=' + default_timezone: Etc/UTC diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index a42e9e0ffe..c479afb3bd 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -1,10 +1,13 @@ --- - name: Validate Ansible version - assert: - that: - - "{{ ansible_version is defined }}" - - "{{ ansible_version.full | version_compare(minimum_ansible_version, '>=') }}" - msg: "Your Ansible version is too old. Trellis requires at least {{ minimum_ansible_version }}. Your version is {{ ansible_version.full | default('< 1.6') }}" + fail: + msg: | + Your Ansible version is {{ ansible_version.full | default('unknown') }}. + Please install a version of Ansible that meets these requirements: + {% for item in ansible_requirements %} + {{ item.operator }} {{ item.version }} + {% endfor %} + when: ansible_version is not defined or false in [{% for item in ansible_requirements %}{{ ansible_version.full | version_compare(item.version, item.operator) }},{% endfor %}] run_once: true - name: Update Apt From 99917219a0da2cf2b3aa8a1ea93e3f106e0ec5bb Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sat, 2 Jul 2016 12:14:49 -0600 Subject: [PATCH 013/292] Rename cli_options_ping var to just cli_options These options are relevant to any connection, not just ping. --- lib/trellis/plugins/vars/vars.py | 4 ++-- roles/remote-user/tasks/main.yml | 2 +- roles/users/tasks/main.yml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/trellis/plugins/vars/vars.py b/lib/trellis/plugins/vars/vars.py index 6ebfdef178..21d5a35dee 100644 --- a/lib/trellis/plugins/vars/vars.py +++ b/lib/trellis/plugins/vars/vars.py @@ -29,7 +29,7 @@ def wrap_salts_in_raw(self, host, hostvars): hostvars['vault_wordpress_sites'][name]['env'][key] = ''.join(['{% raw %}', value, '{% endraw %}']) host.vars['vault_wordpress_sites'] = hostvars['vault_wordpress_sites'] - def cli_options_ping(self): + def cli_options(self): options = [] strings = { @@ -59,5 +59,5 @@ def cli_options_ping(self): def get_host_vars(self, host, vault_password=None): self.wrap_salts_in_raw(host, host.get_group_vars()) - host.vars['cli_options_ping'] = self.cli_options_ping() + host.vars['cli_options'] = self.cli_options() return {} diff --git a/roles/remote-user/tasks/main.yml b/roles/remote-user/tasks/main.yml index ca651a81c8..4e2c66ca80 100644 --- a/roles/remote-user/tasks/main.yml +++ b/roles/remote-user/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: Determine whether to connect as root or admin_user - local_action: command ansible {{ inventory_hostname }} -m ping -u {{ ansible_user | default('root') }} {{ cli_options_ping | default('') }} + local_action: command ansible {{ inventory_hostname }} -m ping -u {{ ansible_user | default('root') }} {{ cli_options | default('') }} failed_when: false changed_when: false register: root_status diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml index e6a7368176..f080e38e4e 100644 --- a/roles/users/tasks/main.yml +++ b/roles/users/tasks/main.yml @@ -51,7 +51,7 @@ - keys - name: Check whether Ansible can connect as admin_user - local_action: command ansible {{ inventory_hostname }} -m ping -u {{ admin_user }} {{ cli_options_ping | default('') }} + local_action: command ansible {{ inventory_hostname }} -m ping -u {{ admin_user }} {{ cli_options | default('') }} failed_when: false changed_when: false become: no From 55c2f41277f1861af3cc0483067999c665c08139 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sat, 2 Jul 2016 12:37:10 -0600 Subject: [PATCH 014/292] Require --user option when --ask-pass is used No longer attempt local_action connection tests with --ask-pass. They fail with `(25, 'Inappropriate ioctl for device')`. --- lib/trellis/plugins/vars/vars.py | 11 +++-------- roles/remote-user/tasks/main.yml | 28 +++++++++++++++++++--------- 2 files changed, 22 insertions(+), 17 deletions(-) diff --git a/lib/trellis/plugins/vars/vars.py b/lib/trellis/plugins/vars/vars.py index 21d5a35dee..c58611d347 100644 --- a/lib/trellis/plugins/vars/vars.py +++ b/lib/trellis/plugins/vars/vars.py @@ -46,18 +46,13 @@ def cli_options(self): if getattr(self._options, value, False): options.append("{0}='{1}'".format(option, str(getattr(self._options, value)))) - booleans = { - '--ask-pass': 'ask_pass', - '--ask-vault-pass': 'ask_vault_pass', - } - - for option,value in booleans.iteritems(): - if getattr(self._options, value, False): - options.append(option) + if getattr(self._options, 'ask_vault_pass', False): + options.append('--ask-vault-pass') return ' '.join(options) def get_host_vars(self, host, vault_password=None): self.wrap_salts_in_raw(host, host.get_group_vars()) host.vars['cli_options'] = self.cli_options() + host.vars['cli_ask_pass'] = getattr(self._options, 'ask_pass', False) return {} diff --git a/roles/remote-user/tasks/main.yml b/roles/remote-user/tasks/main.yml index 4e2c66ca80..4cad813ea7 100644 --- a/roles/remote-user/tasks/main.yml +++ b/roles/remote-user/tasks/main.yml @@ -1,13 +1,23 @@ --- -- name: Determine whether to connect as root or admin_user - local_action: command ansible {{ inventory_hostname }} -m ping -u {{ ansible_user | default('root') }} {{ cli_options | default('') }} - failed_when: false - changed_when: false - register: root_status - -- name: Set remote user for each host - set_fact: - ansible_user: "{{ root_status | success | ternary(ansible_user | default('root'), admin_user) }}" +- block: + - name: Require manual definition of remote-user + fail: + msg: | + When using `--ask-pass` option, use `-u` option to define remote-user: + ansible-playbook server.yml -e env={{ env }} -u root --ask-pass + when: cli_ask_pass | default(false) + + - name: Check whether Ansible can connect as root + local_action: command ansible {{ inventory_hostname }} -m ping -u root {{ cli_options | default('') }} + failed_when: false + changed_when: false + register: root_status + + - name: Set remote user for each host + set_fact: + ansible_user: "{{ root_status | success | ternary('root', admin_user) }}" + + when: ansible_user is not defined - name: Announce which user was selected debug: From 3f1b6995f90232dca7324074548784cbc23a0b73 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sat, 2 Jul 2016 13:00:23 -0600 Subject: [PATCH 015/292] Add prompts to prevent lockout when --ask-pass There is risk for lockout when root login or SSH password login will be disabled and the SSH key connection test fails for admin_user. A project employing --ask-pass could potentially still connect as admin_user via password or some other user via key. Don't fail, but require confirmation to continue. --- roles/users/tasks/connection-warnings.yml | 40 +++++++++++++++++++++++ roles/users/tasks/main.yml | 8 ++--- 2 files changed, 43 insertions(+), 5 deletions(-) create mode 100644 roles/users/tasks/connection-warnings.yml diff --git a/roles/users/tasks/connection-warnings.yml b/roles/users/tasks/connection-warnings.yml new file mode 100644 index 0000000000..c8d505fc11 --- /dev/null +++ b/roles/users/tasks/connection-warnings.yml @@ -0,0 +1,40 @@ +--- +- name: Fail if root login will be disabled but admin_user cannot connect + fail: + msg: 'The admin_user `{{ admin_user }}` is unable to connect to the server. To prevent you from losing access to your server, the playbook has halted before disabling root login (`sshd_permit_root_login: false`). Ensure that the admin_user appears in your `users` hash with a valid entry for `keys`.' + when: not cli_ask_pass | default(false) and ansible_user == 'root' + +- block: + - name: Confirm that a non-root user can connect + pause: + prompt: | + + The play will disable SSH login for `root` (because `sshd_permit_root_login: false`) + but the admin_user named `{{ admin_user }}` appears unable to connect via SSH key. + + Be careful to avoid losing SSH access to your server. + Continue only if `{{ admin_user }}` will be able to connect via password or if + a different user will be able to connect and invoke sudo. + + (press RETURN to continue or CTRL+C to abort) + when: not sshd_permit_root_login and ansible_user == 'root' + + - name: Confirm disabling of SSH password authentication + pause: + prompt: | + + The play will disable password login (because `sshd_password_authentication: false`) + but the admin_user named `{{ admin_user }}` appears unable to connect via SSH key. + + Be careful to avoid losing SSH access to your server. + Continue only if you are certain you will have another means of connecting, + such as via SSH keys. + + If you prefer to continue to allow SSH password authentication (less secure), + abort now and make the following edit in `group_vars/all/security.yml`: + `sshd_password_authentication: true` + + (press RETURN to continue or CTRL+C to abort) + when: not sshd_password_authentication + + when: cli_ask_pass | default(false) diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml index f080e38e4e..0a12aca8ad 100644 --- a/roles/users/tasks/main.yml +++ b/roles/users/tasks/main.yml @@ -56,9 +56,7 @@ changed_when: false become: no register: admin_user_status - when: not sshd_permit_root_login + when: (ansible_user != admin_user and not sshd_permit_root_login) or (cli_ask_pass and not sshd_password_authentication) -- name: Fail if root login will be disabled but admin_user cannot connect - fail: - msg: 'The admin_user is unable to connect to the server. To prevent you from losing access to your server, the playbook has halted before disabling root login (`sshd_permit_root_login: false`). Ensure that the admin_user appears in your `users` hash with a valid entry for `keys`.' - when: not sshd_permit_root_login and admin_user_status | failed +- include: connection-warnings.yml + when: admin_user_status | failed From 2663b70ad7bdadfff9ed016606fc0aa43572b8e4 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sat, 2 Jul 2016 13:48:58 -0600 Subject: [PATCH 016/292] Add tags to ensure connection tests run with sshd role Otherwise, critical tests from users role wouldn't run when playbook is invoked with `--tags sshd`. Additionally, `--skip-tags connection-tests` is convenient if ever the tests are problematic or bothersome. --- roles/remote-user/tasks/main.yml | 3 ++- roles/users/tasks/main.yml | 3 +++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/roles/remote-user/tasks/main.yml b/roles/remote-user/tasks/main.yml index 4cad813ea7..440ad1773c 100644 --- a/roles/remote-user/tasks/main.yml +++ b/roles/remote-user/tasks/main.yml @@ -12,10 +12,11 @@ failed_when: false changed_when: false register: root_status + tags: [connection-tests] - name: Set remote user for each host set_fact: - ansible_user: "{{ root_status | success | ternary('root', admin_user) }}" + ansible_user: "{{ root_status | default({'failed':false}) | success | ternary('root', admin_user) }}" when: ansible_user is not defined diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml index 0a12aca8ad..c64b8fea8e 100644 --- a/roles/users/tasks/main.yml +++ b/roles/users/tasks/main.yml @@ -20,6 +20,7 @@ - "{{ admin_user in sudoer_passwords.keys() }}" msg: "When `sshd_permit_root_login: false`, you must add `sudo` to the `groups` for admin_user (in `users` hash), and set a password for admin_user in `sudoer_passwords`. Otherwise Ansible could lose the ability to run the necessary sudo commands." when: not sshd_permit_root_login + tags: sshd - name: Setup users user: @@ -57,6 +58,8 @@ become: no register: admin_user_status when: (ansible_user != admin_user and not sshd_permit_root_login) or (cli_ask_pass and not sshd_password_authentication) + tags: [connection-tests, sshd] - include: connection-warnings.yml when: admin_user_status | failed + tags: [connection-tests, sshd] From 805d2b40d73bb04adcd3177a3917887fffeabe86 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sun, 3 Jul 2016 11:46:38 -0400 Subject: [PATCH 017/292] Use Vagrant 1.8.1 releases link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a99c6453ea..599ce0e165 100644 --- a/README.md +++ b/README.md @@ -33,7 +33,7 @@ Make sure all dependencies have been installed before moving on: * [Ansible](http://docs.ansible.com/ansible/intro_installation.html#latest-releases-via-pip) 2.0.2 * [Virtualbox](https://www.virtualbox.org/wiki/Downloads) >= 4.3.10 -* [Vagrant](http://www.vagrantup.com/downloads.html) <= 1.8.1 +* [Vagrant](https://releases.hashicorp.com/vagrant/1.8.1/) 1.8.1 * [vagrant-bindfs](https://github.com/gael-ian/vagrant-bindfs#installation) >= 0.3.1 (Windows users may skip this) * [vagrant-hostmanager](https://github.com/smdahlen/vagrant-hostmanager#installation) From dc42cfd0434de805067785e1df1a981c7d68cf79 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dan=20-=20Lucian=20=C8=98tefancu?= Date: Mon, 11 Jul 2016 00:21:37 +0300 Subject: [PATCH 018/292] Merge pull request #613 from danstefancu/patch-1 * Install ansible 2.0.2 in windows via pip Ansible 2.1.0 has a bug, and apt cannot install 2.0.2 version that is not afected. See: https://github.com/ansible/ansible/issues/15915 See: https://discourse.roots.io/t/taskinclude-object-has-no-attribute-has-triggered/6834/5 --- windows.sh | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/windows.sh b/windows.sh index b74c1f764d..fe5081fb46 100644 --- a/windows.sh +++ b/windows.sh @@ -31,12 +31,11 @@ fi # Install Ansible and its dependencies if not installed. if [ ! -f /usr/bin/ansible ]; then - echo "Adding Ansible repository..." - sudo apt-add-repository -y ppa:ansible/ansible - echo "Updating system..." - sudo apt-get -y update - echo "Installing Ansible..." - sudo apt-get -y install ansible + echo "Installing pip..." + sudo apt-get -y install python-pip + echo "Installing Ansible with pip..." + sudo pip install ansible=='2.0.2.0' + sudo pip install markupsafe fi if [ ! -d ${ANSIBLE_PATH}/vendor ]; then From 8f5177f6bb7326b71ce5cd53f3c00a808e77c5a3 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Wed, 6 Jul 2016 21:30:54 -0600 Subject: [PATCH 019/292] Add list of raw_vars whose values are auto-escaped Variables with randomly generated values risk having opening jinja delimiters such as `{{` and `{%`, causing templating failures. The new list of `raw_vars` is a user-configurable method to wrap variable values in `{% raw %}`. --- group_vars/all/main.yml | 9 +++++ lib/trellis/plugins/vars/vars.py | 64 +++++++++++++++++++++++++++----- 2 files changed, 64 insertions(+), 9 deletions(-) diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index b3b08266fa..e96d2d3995 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -17,3 +17,12 @@ wordpress_env_defaults: wp_siteurl: "${WP_HOME}/wp" site_env: "{{ wordpress_env_defaults | combine(item.value.env | default({}), vault_wordpress_sites[item.key].env) }}" + +# Values of raw_vars will be wrapped in `{% raw %}` to avoid templating problems if values include `{%` and `{{`. +# Will recurse dicts/lists. `*` is wildcard for one or more dict keys, list indices, or strings. Example: +# - vault_wordpress_sites.*.*_salt -- matches vault_wordpress_sites.example.com.env.secure_auth_salt etc. +# Will not function for var names or topmost dict keys that contain a period ('.'). +raw_vars: + - vault_mail_password + - vault_mysql_root_password + - vault_wordpress_sites diff --git a/lib/trellis/plugins/vars/vars.py b/lib/trellis/plugins/vars/vars.py index c58611d347..3f8cfb238e 100644 --- a/lib/trellis/plugins/vars/vars.py +++ b/lib/trellis/plugins/vars/vars.py @@ -1,6 +1,8 @@ from __future__ import (absolute_import, division, print_function) __metaclass__ = type +import re + from ansible import __version__ from ansible.errors import AnsibleError @@ -10,6 +12,7 @@ # These imports will produce Traceback in Ansible 1.x, so place after version check from __main__ import cli from ansible.compat.six import iteritems +from ansible.parsing.yaml.objects import AnsibleMapping, AnsibleSequence, AnsibleUnicode class VarsModule(object): @@ -20,14 +23,57 @@ def __init__(self, inventory): self.inventory_basedir = inventory.basedir() self._options = cli.options if cli else None - # Wrap salts and keys variables in {% raw %} to prevent jinja templating errors - def wrap_salts_in_raw(self, host, hostvars): - if 'vault_wordpress_sites' in hostvars: - for name, site in hostvars['vault_wordpress_sites'].iteritems(): - for key, value in site['env'].iteritems(): - if key.endswith(('_key', '_salt')) and not value.startswith(('{% raw', '{%raw')): - hostvars['vault_wordpress_sites'][name]['env'][key] = ''.join(['{% raw %}', value, '{% endraw %}']) - host.vars['vault_wordpress_sites'] = hostvars['vault_wordpress_sites'] + def raw_triage(self, key_string, item, patterns): + # process dict values + if isinstance(item, AnsibleMapping): + dict = {} + for key,value in item.iteritems(): + dict[key] = self.raw_triage('.'.join([key_string, key]), value, patterns) + return dict + + # process list values + elif isinstance(item, AnsibleSequence): + list = [] + for i,value in enumerate(item): + raw = self.raw_triage('.'.join([key_string, str(i)]), value, patterns) + list.append(raw) + return list + + # wrap values if they match raw_vars pattern + elif isinstance(item, AnsibleUnicode): + matches = False + for pattern in patterns: + if re.match(pattern, key_string) is not None: + matches = True + break + + if not item.startswith(('{% raw', '{%raw')) and matches: + item = ''.join(['{% raw %}', item, '{% endraw %}']) + + return item + + def raw_vars(self, host, hostvars): + if 'raw_vars' not in hostvars: + return + + raw_vars = list((var for var in hostvars['raw_vars'] if var.split('.')[0] in hostvars)) + + # prepare regex match patterns + patterns = [] + for pattern in raw_vars: + pattern = re.sub(r'\.', '\.', pattern) + pattern = re.sub(r'\*', '(.)*', pattern) + patterns.append(pattern) + + # wrap matching vars under each key + keys = set() + for var in raw_vars: + key = var.split('.')[0] + if key in keys: + continue + + host.vars[key] = self.raw_triage(key, hostvars[key], patterns) + keys.add(key) def cli_options(self): options = [] @@ -52,7 +98,7 @@ def cli_options(self): return ' '.join(options) def get_host_vars(self, host, vault_password=None): - self.wrap_salts_in_raw(host, host.get_group_vars()) + self.raw_vars(host, host.get_group_vars()) host.vars['cli_options'] = self.cli_options() host.vars['cli_ask_pass'] = getattr(self._options, 'ask_pass', False) return {} From fdc8e6b5f540600c8ebcbaeff697ef0df8ef96c6 Mon Sep 17 00:00:00 2001 From: Michael Silber Date: Tue, 12 Jul 2016 22:21:15 -0400 Subject: [PATCH 020/292] Update WP Multisite Home URL after instllation --- roles/wordpress-install/tasks/main.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/roles/wordpress-install/tasks/main.yml b/roles/wordpress-install/tasks/main.yml index cb5999a3b9..6cbc36ff72 100644 --- a/roles/wordpress-install/tasks/main.yml +++ b/roles/wordpress-install/tasks/main.yml @@ -62,3 +62,10 @@ with_dict: "{{ wordpress_sites }}" when: item.value.site_install | default(true) and item.value.multisite.enabled | default(false) changed_when: "'The network already exists.' not in wp_install_results.stdout" + +- name: Update WP Multisite Home URL + command: wp option update home {{ site_env.wp_home }} --allow-root + args: + chdir: "{{ www_root }}/{{ item.key }}/current/" + with_dict: "{{ wordpress_sites }}" + when: item.value.site_install | default(true) and item.value.multisite.enabled | default(false) From 03dd92ae45163b52be81381c550425970442dae3 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 16 Jul 2016 00:16:39 -0400 Subject: [PATCH 021/292] 616 CHANGELOG --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9c5ac8e227..9761fe0441 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Fix `wp_home` option in Multisite after install in development ([#616](https://github.com/roots/trellis/pull/616)) * Add Vagrant post up message ([#602](https://github.com/roots/trellis/pull/602)) * Fix #468 - Use curl to install wp-cli tab completions ([#593](https://github.com/roots/trellis/pull/593)) * Require Ansible 2.0.2 and remove deploy_helper ([#579](https://github.com/roots/trellis/pull/579)) From 3fda4a7b29e68fd24bc1e7447fecd9e4ce0607ab Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Mon, 18 Jul 2016 03:25:00 -0600 Subject: [PATCH 022/292] Use comprehensions --- lib/trellis/plugins/vars/vars.py | 43 ++++++-------------------------- 1 file changed, 7 insertions(+), 36 deletions(-) diff --git a/lib/trellis/plugins/vars/vars.py b/lib/trellis/plugins/vars/vars.py index 3f8cfb238e..d0c64faa70 100644 --- a/lib/trellis/plugins/vars/vars.py +++ b/lib/trellis/plugins/vars/vars.py @@ -26,54 +26,25 @@ def __init__(self, inventory): def raw_triage(self, key_string, item, patterns): # process dict values if isinstance(item, AnsibleMapping): - dict = {} - for key,value in item.iteritems(): - dict[key] = self.raw_triage('.'.join([key_string, key]), value, patterns) - return dict + return dict((key,self.raw_triage('.'.join([key_string, key]), value, patterns)) for key,value in item.iteritems()) # process list values elif isinstance(item, AnsibleSequence): - list = [] - for i,value in enumerate(item): - raw = self.raw_triage('.'.join([key_string, str(i)]), value, patterns) - list.append(raw) - return list + return [self.raw_triage('.'.join([key_string, str(i)]), value, patterns) for i,value in enumerate(item)] # wrap values if they match raw_vars pattern elif isinstance(item, AnsibleUnicode): - matches = False - for pattern in patterns: - if re.match(pattern, key_string) is not None: - matches = True - break - - if not item.startswith(('{% raw', '{%raw')) and matches: - item = ''.join(['{% raw %}', item, '{% endraw %}']) - - return item + match = next((pattern for pattern in patterns if re.match(pattern, key_string)), None) + return ''.join(['{% raw %}', item, '{% endraw %}']) if not item.startswith(('{% raw', '{%raw')) and match else item def raw_vars(self, host, hostvars): if 'raw_vars' not in hostvars: return - raw_vars = list((var for var in hostvars['raw_vars'] if var.split('.')[0] in hostvars)) - - # prepare regex match patterns - patterns = [] - for pattern in raw_vars: - pattern = re.sub(r'\.', '\.', pattern) - pattern = re.sub(r'\*', '(.)*', pattern) - patterns.append(pattern) - - # wrap matching vars under each key - keys = set() - for var in raw_vars: - key = var.split('.')[0] - if key in keys: - continue - + patterns = [re.sub(r'\*', '(.)*', re.sub(r'\.', '\.', var)) for var in hostvars['raw_vars'] if var.split('.')[0] in hostvars] + keys = set(pattern.split('\.')[0] for pattern in patterns) + for key in keys: host.vars[key] = self.raw_triage(key, hostvars[key], patterns) - keys.add(key) def cli_options(self): options = [] From 7983ff3ec663e435828743f099e163b2c8e27984 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Mon, 18 Jul 2016 14:59:54 -0600 Subject: [PATCH 023/292] Raise error if raw_vars not defined as list --- lib/trellis/plugins/vars/vars.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/trellis/plugins/vars/vars.py b/lib/trellis/plugins/vars/vars.py index d0c64faa70..4c68cf9496 100644 --- a/lib/trellis/plugins/vars/vars.py +++ b/lib/trellis/plugins/vars/vars.py @@ -41,6 +41,9 @@ def raw_vars(self, host, hostvars): if 'raw_vars' not in hostvars: return + if not isinstance(hostvars['raw_vars'], AnsibleSequence): + raise AnsibleError('The `raw_vars` variable must be defined as a list.') + patterns = [re.sub(r'\*', '(.)*', re.sub(r'\.', '\.', var)) for var in hostvars['raw_vars'] if var.split('.')[0] in hostvars] keys = set(pattern.split('\.')[0] for pattern in patterns) for key in keys: From 6807515507f7806810ded8acd173768934aba5af Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Mon, 18 Jul 2016 15:15:32 -0600 Subject: [PATCH 024/292] Template the raw_vars variable before processing --- lib/trellis/plugins/vars/vars.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/lib/trellis/plugins/vars/vars.py b/lib/trellis/plugins/vars/vars.py index 4c68cf9496..e55242ecb6 100644 --- a/lib/trellis/plugins/vars/vars.py +++ b/lib/trellis/plugins/vars/vars.py @@ -12,7 +12,9 @@ # These imports will produce Traceback in Ansible 1.x, so place after version check from __main__ import cli from ansible.compat.six import iteritems +from ansible.parsing.dataloader import DataLoader from ansible.parsing.yaml.objects import AnsibleMapping, AnsibleSequence, AnsibleUnicode +from ansible.template import Templar class VarsModule(object): @@ -21,6 +23,7 @@ class VarsModule(object): def __init__(self, inventory): self.inventory = inventory self.inventory_basedir = inventory.basedir() + self.loader = DataLoader() self._options = cli.options if cli else None def raw_triage(self, key_string, item, patterns): @@ -41,10 +44,11 @@ def raw_vars(self, host, hostvars): if 'raw_vars' not in hostvars: return - if not isinstance(hostvars['raw_vars'], AnsibleSequence): + raw_vars = Templar(variables=hostvars, loader=self.loader).template(hostvars['raw_vars']) + if not isinstance(raw_vars, list): raise AnsibleError('The `raw_vars` variable must be defined as a list.') - patterns = [re.sub(r'\*', '(.)*', re.sub(r'\.', '\.', var)) for var in hostvars['raw_vars'] if var.split('.')[0] in hostvars] + patterns = [re.sub(r'\*', '(.)*', re.sub(r'\.', '\.', var)) for var in raw_vars if var.split('.')[0] in hostvars] keys = set(pattern.split('\.')[0] for pattern in patterns) for key in keys: host.vars[key] = self.raw_triage(key, hostvars[key], patterns) From 13d6841df57360a3e50e11cd4e7b9dc56d2aa501 Mon Sep 17 00:00:00 2001 From: Michael Silber Date: Thu, 30 Jun 2016 03:22:08 -0400 Subject: [PATCH 025/292] Allow custom current_path Remove Vagrantfile assignment Define project_current_path in roles/deploy/defaults/main.yml instead of deploy.yml (also change var name to match convention Ensure rollback role gets project_current_path var Neater var order Even better, shorter vars Change path after merge of #616 Add changelog entry --- CHANGELOG.md | 1 + Vagrantfile | 8 ++++---- roles/deploy/defaults/main.yml | 4 ++++ roles/deploy/tasks/finalize.yml | 1 + roles/deploy/tasks/initialize.yml | 1 + roles/rollback/tasks/main.yml | 2 +- roles/rollback/tasks/prior-release.yml | 2 +- roles/rollback/tasks/user-release.yml | 2 +- roles/wordpress-install/tasks/directories.yml | 2 +- roles/wordpress-install/tasks/main.yml | 12 ++++++------ .../wordpress-setup/templates/wordpress-site.conf.j2 | 2 +- rollback.yml | 1 + 12 files changed, 23 insertions(+), 15 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9761fe0441..f60808aefa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,6 @@ ### HEAD * Fix `wp_home` option in Multisite after install in development ([#616](https://github.com/roots/trellis/pull/616)) +* Add `current_path` var and default to enable custom current release path ([#607](https://github.com/roots/trellis/pull/607)) * Add Vagrant post up message ([#602](https://github.com/roots/trellis/pull/602)) * Fix #468 - Use curl to install wp-cli tab completions ([#593](https://github.com/roots/trellis/pull/593)) * Require Ansible 2.0.2 and remove deploy_helper ([#579](https://github.com/roots/trellis/pull/579)) diff --git a/Vagrantfile b/Vagrantfile index 9e2fa6d4e5..d16be5cf3b 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -63,7 +63,7 @@ Vagrant.configure('2') do |config| if Vagrant::Util::Platform.windows? and !Vagrant.has_plugin? 'vagrant-winnfsd' wordpress_sites.each_pair do |name, site| - config.vm.synced_folder local_site_path(site), remote_site_path(name), owner: 'vagrant', group: 'www-data', mount_options: ['dmode=776', 'fmode=775'] + config.vm.synced_folder local_site_path(site), remote_site_path(name, site), owner: 'vagrant', group: 'www-data', mount_options: ['dmode=776', 'fmode=775'] end config.vm.synced_folder File.join(ANSIBLE_PATH, 'hosts'), File.join(ANSIBLE_PATH.sub(__dir__, '/vagrant'), 'hosts'), mount_options: ['dmode=755', 'fmode=644'] else @@ -72,7 +72,7 @@ Vagrant.configure('2') do |config| else wordpress_sites.each_pair do |name, site| config.vm.synced_folder local_site_path(site), nfs_path(name), type: 'nfs' - config.bindfs.bind_folder nfs_path(name), remote_site_path(name), u: 'vagrant', g: 'www-data', o: 'nonempty' + config.bindfs.bind_folder nfs_path(name), remote_site_path(name, site), u: 'vagrant', g: 'www-data', o: 'nonempty' end end end @@ -147,6 +147,6 @@ def post_up_message msg end -def remote_site_path(site_name) - "/srv/www/#{site_name}/current" +def remote_site_path(site_name, site) + "/srv/www/#{site_name}/#{site['current_path'] || 'current'}" end diff --git a/roles/deploy/defaults/main.yml b/roles/deploy/defaults/main.yml index 3974dedaf4..a592b98c11 100644 --- a/roles/deploy/defaults/main.yml +++ b/roles/deploy/defaults/main.yml @@ -40,3 +40,7 @@ project_shared_children: # WP_ENV: "production" project_environment: WP_ENV: "{{ env }}" + +# The project_current_path is the symlink used for the latest or active deployment +# - default is 'current' +project_current_path: "{{ project.current_path | default('current') }}" diff --git a/roles/deploy/tasks/finalize.yml b/roles/deploy/tasks/finalize.yml index 3699ffb7d5..e21bccaf0e 100644 --- a/roles/deploy/tasks/finalize.yml +++ b/roles/deploy/tasks/finalize.yml @@ -4,6 +4,7 @@ - name: Finalize the deploy deploy_helper: + current_path: "{{ project_current_path }}" path: "{{ project_root }}" release: "{{ deploy_helper.new_release }}" state: finalize diff --git a/roles/deploy/tasks/initialize.yml b/roles/deploy/tasks/initialize.yml index 1d5b833f03..ed175524aa 100644 --- a/roles/deploy/tasks/initialize.yml +++ b/roles/deploy/tasks/initialize.yml @@ -4,6 +4,7 @@ - name: Initialize deploy_helper: + current_path: "{{ project_current_path }}" path: "{{ project_root }}" state: present diff --git a/roles/rollback/tasks/main.yml b/roles/rollback/tasks/main.yml index 59255cc6bf..aa78e0db1d 100644 --- a/roles/rollback/tasks/main.yml +++ b/roles/rollback/tasks/main.yml @@ -17,6 +17,6 @@ - name: Link 'current' directory to target release file: - path: "{{ project_root }}/current" + path: "{{ project_root }}/{{ project_current_path }}" src: "{{ new_release_path }}" state: link diff --git a/roles/rollback/tasks/prior-release.yml b/roles/rollback/tasks/prior-release.yml index fb5bba9851..1788aeebe8 100644 --- a/roles/rollback/tasks/prior-release.yml +++ b/roles/rollback/tasks/prior-release.yml @@ -1,6 +1,6 @@ --- - name: Get list position of current symlinked release - shell: "ls releases | grep -n $(basename $(readlink current)) | cut -f1 -d:" + shell: "ls releases | grep -n $(basename $(readlink {{ project_current_path }})) | cut -f1 -d:" args: chdir: "{{ project_root }}" register: current_release_position diff --git a/roles/rollback/tasks/user-release.yml b/roles/rollback/tasks/user-release.yml index 965405720c..6e356e1bc0 100644 --- a/roles/rollback/tasks/user-release.yml +++ b/roles/rollback/tasks/user-release.yml @@ -5,7 +5,7 @@ register: specified - name: Get name of current symlinked release - shell: "basename $(readlink current)" + shell: "basename $(readlink {{ project_current_path }})" args: chdir: "{{ project_root }}" register: current_release diff --git a/roles/wordpress-install/tasks/directories.yml b/roles/wordpress-install/tasks/directories.yml index 31802eed3f..093d3212a6 100644 --- a/roles/wordpress-install/tasks/directories.yml +++ b/roles/wordpress-install/tasks/directories.yml @@ -1,7 +1,7 @@ --- - name: Create web root of sites file: - path: "{{ www_root }}/{{ item.key }}/current/web" + path: "{{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/web" owner: "{{ web_user }}" group: "{{ web_group }}" mode: 0755 diff --git a/roles/wordpress-install/tasks/main.yml b/roles/wordpress-install/tasks/main.yml index 6cbc36ff72..bc4f7398fe 100644 --- a/roles/wordpress-install/tasks/main.yml +++ b/roles/wordpress-install/tasks/main.yml @@ -11,7 +11,7 @@ with_dict: "{{ wordpress_sites }}" - name: Copy .env file into web root - command: rsync -ac --info=NAME /tmp/{{ item.key }}.env {{ www_root }}/{{ item.key }}/current/.env + command: rsync -ac --info=NAME /tmp/{{ item.key }}.env {{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/.env with_dict: "{{ wordpress_sites }}" register: env_file changed_when: env_file.stdout == "{{ item.key }}.env" @@ -19,7 +19,7 @@ - name: Install Dependencies with Composer command: composer install args: - chdir: "{{ www_root }}/{{ item.key }}/current/" + chdir: "{{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/" register: composer_results with_dict: "{{ wordpress_sites }}" changed_when: "'Nothing to install or update' not in composer_results.stderr" @@ -33,7 +33,7 @@ --admin_password="{{ vault_wordpress_sites[item.key].admin_password }}" --admin_email="{{ item.value.admin_email }}" args: - chdir: "{{ www_root }}/{{ item.key }}/current/" + chdir: "{{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/" register: wp_install_results with_dict: "{{ wordpress_sites }}" when: item.value.site_install | default(true) and not item.value.multisite.enabled | default(false) @@ -42,7 +42,7 @@ - name: Setup Permalink Structure command: wp rewrite structure {{ item.value.initial_permalink_structure | default("/%postname%/") }} --allow-root args: - chdir: "{{ www_root }}/{{ item.key }}/current/" + chdir: "{{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/" with_dict: "{{ wordpress_sites }}" when: wp_install_results | changed and not item.value.multisite.enabled | default(false) @@ -57,7 +57,7 @@ --admin_password="{{ vault_wordpress_sites[item.key].admin_password }}" --admin_email="{{ item.value.admin_email }}" args: - chdir: "{{ www_root }}/{{ item.key }}/current/" + chdir: "{{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/" register: wp_install_results with_dict: "{{ wordpress_sites }}" when: item.value.site_install | default(true) and item.value.multisite.enabled | default(false) @@ -66,6 +66,6 @@ - name: Update WP Multisite Home URL command: wp option update home {{ site_env.wp_home }} --allow-root args: - chdir: "{{ www_root }}/{{ item.key }}/current/" + chdir: "{{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/" with_dict: "{{ wordpress_sites }}" when: item.value.site_install | default(true) and item.value.multisite.enabled | default(false) diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index c94d05cd7c..cf68c6b4b3 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -11,7 +11,7 @@ server { access_log {{ www_root }}/{{ item.key }}/logs/access.log; error_log {{ www_root }}/{{ item.key }}/logs/error.log; - root {{ www_root }}/{{ item.key }}/current/web; + root {{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/web; index index.php index.htm index.html; charset utf-8; diff --git a/rollback.yml b/rollback.yml index b3b69904d3..2ce5ff5212 100644 --- a/rollback.yml +++ b/rollback.yml @@ -9,6 +9,7 @@ vars: project_root: "{{ www_root }}/{{ site }}" + project_current_path: "{{ wordpress_sites[site].current_path | default('current') }}" roles: - rollback From 9763d65ca64a6c228c532fc43c1aa471512f80ed Mon Sep 17 00:00:00 2001 From: Michael Silber Date: Mon, 18 Jul 2016 14:57:47 -0400 Subject: [PATCH 026/292] Setup permalink structure for multisite installs too Add to changelog --- CHANGELOG.md | 1 + roles/wordpress-install/tasks/main.yml | 14 +++++++------- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f60808aefa..651cd23f4f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Setup permalink structure for multisite installs too ([#617](https://github.com/roots/trellis/pull/617)) * Fix `wp_home` option in Multisite after install in development ([#616](https://github.com/roots/trellis/pull/616)) * Add `current_path` var and default to enable custom current release path ([#607](https://github.com/roots/trellis/pull/607)) * Add Vagrant post up message ([#602](https://github.com/roots/trellis/pull/602)) diff --git a/roles/wordpress-install/tasks/main.yml b/roles/wordpress-install/tasks/main.yml index bc4f7398fe..83c9bd7c8f 100644 --- a/roles/wordpress-install/tasks/main.yml +++ b/roles/wordpress-install/tasks/main.yml @@ -39,13 +39,6 @@ when: item.value.site_install | default(true) and not item.value.multisite.enabled | default(false) changed_when: "'WordPress is already installed.' not in wp_install_results.stdout" -- name: Setup Permalink Structure - command: wp rewrite structure {{ item.value.initial_permalink_structure | default("/%postname%/") }} --allow-root - args: - chdir: "{{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/" - with_dict: "{{ wordpress_sites }}" - when: wp_install_results | changed and not item.value.multisite.enabled | default(false) - - name: Install WP Multisite command: wp core multisite-install --allow-root @@ -63,6 +56,13 @@ when: item.value.site_install | default(true) and item.value.multisite.enabled | default(false) changed_when: "'The network already exists.' not in wp_install_results.stdout" +- name: Setup Permalink Structure + command: wp rewrite structure {{ item.value.initial_permalink_structure | default("/%postname%/") }} --allow-root + args: + chdir: "{{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/" + with_dict: "{{ wordpress_sites }}" + when: wp_install_results | changed + - name: Update WP Multisite Home URL command: wp option update home {{ site_env.wp_home }} --allow-root args: From abea208185e564ce65fb484649d2dfa954f5178d Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 22 Jul 2016 21:42:05 -0400 Subject: [PATCH 027/292] Fix #612 - Bump nginx_fastcgi_buffer_size `admin-ajax.php` apparently causes huge headers causing Nginx errors: > upstream sent too big header while reading response header from upstream Bumping this default value to `8k` fixes the issues. --- CHANGELOG.md | 1 + roles/nginx/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 651cd23f4f..17f59863e0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Fix #612 - Bump nginx_fastcgi_buffer_size to `8k` ([#620](https://github.com/roots/trellis/pull/620)) * Setup permalink structure for multisite installs too ([#617](https://github.com/roots/trellis/pull/617)) * Fix `wp_home` option in Multisite after install in development ([#616](https://github.com/roots/trellis/pull/616)) * Add `current_path` var and default to enable custom current release path ([#607](https://github.com/roots/trellis/pull/607)) diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml index dbfdacd430..0f63702625 100644 --- a/roles/nginx/defaults/main.yml +++ b/roles/nginx/defaults/main.yml @@ -3,7 +3,7 @@ nginx_path: /etc/nginx nginx_logs_root: /var/log/nginx nginx_user: www-data nginx_fastcgi_buffers: 8 8k -nginx_fastcgi_buffer_size: 4k +nginx_fastcgi_buffer_size: 8k nginx_ssl_path: "{{ nginx_path }}/ssl" # HSTS defaults From a1da2804a48190618d60b509f9c8fa493c649073 Mon Sep 17 00:00:00 2001 From: Shawn Mosher Date: Tue, 26 Jul 2016 17:42:27 -0700 Subject: [PATCH 028/292] Updated windows.sh (#623) Fix #621 - Add apt update before installing pip in windows.sh --- windows.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/windows.sh b/windows.sh index fe5081fb46..68bc130747 100644 --- a/windows.sh +++ b/windows.sh @@ -32,6 +32,7 @@ fi # Install Ansible and its dependencies if not installed. if [ ! -f /usr/bin/ansible ]; then echo "Installing pip..." + sudo apt-get -y update sudo apt-get -y install python-pip echo "Installing Ansible with pip..." sudo pip install ansible=='2.0.2.0' From db89d49a18e60b5c9e1e8a1a4901080bfe871e26 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Thu, 21 Jul 2016 19:20:38 -0600 Subject: [PATCH 029/292] Require explicit redirects and drop www_redirect Discontinues the `reverse_www` filter, overcoming its challenges in handling subdomains. --- Vagrantfile | 12 +++++-- group_vars/all/main.yml | 3 ++ group_vars/development/wordpress_sites.yml | 4 ++- group_vars/production/wordpress_sites.yml | 4 ++- group_vars/staging/wordpress_sites.yml | 4 ++- lib/trellis/plugins/filter/filters.py | 32 ------------------- roles/common/tasks/main.yml | 7 ++++ roles/common/templates/site_hosts.j2 | 17 ++++++++++ roles/letsencrypt/tasks/certificates.yml | 8 ++--- roles/letsencrypt/tasks/nginx.yml | 2 +- .../templates/nginx-challenge-site.conf.j2 | 2 +- .../tasks/self-signed-certificate.yml | 2 +- .../templates/wordpress-site.conf.j2 | 12 +++---- 13 files changed, 58 insertions(+), 51 deletions(-) create mode 100644 roles/common/templates/site_hosts.j2 diff --git a/Vagrantfile b/Vagrantfile index d16be5cf3b..ab014d33e8 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -49,14 +49,20 @@ Vagrant.configure('2') do |config| # Required for NFS to work config.vm.network :private_network, ip: ip, hostsupdater: 'skip' - hostname, *aliases = wordpress_sites.flat_map { |(_name, site)| site['site_hosts'] } + wordpress_sites.flat_map { |(_name, site)| site['site_hosts'] }.each do |host| + if !host.is_a?(Hash) or !host.has_key?('canonical') + fail_with_message File.read(File.join(ANSIBLE_PATH, 'roles/common/templates/site_hosts.j2')).sub!('{{ env }}', 'development').gsub!(/com$/, 'dev') + end + end + + hostname, *aliases = wordpress_sites.flat_map { |(_name, site)| site['site_hosts'].map { |host| host['canonical'] } } config.vm.hostname = hostname - www_aliases = ["www.#{hostname}"] + aliases.map { |host| "www.#{host}" } + redirects = wordpress_sites.flat_map { |(_name, site)| site['site_hosts'].select { |host| host.has_key?('redirects') }.flat_map { |host| host['redirects'] } } if Vagrant.has_plugin? 'vagrant-hostmanager' config.hostmanager.enabled = true config.hostmanager.manage_host = true - config.hostmanager.aliases = aliases + www_aliases + config.hostmanager.aliases = aliases + redirects else fail_with_message "vagrant-hostmanager missing, please install the plugin with this command:\nvagrant plugin install vagrant-hostmanager" end diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index e96d2d3995..4a3a67a25f 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -17,6 +17,9 @@ wordpress_env_defaults: wp_siteurl: "${WP_HOME}/wp" site_env: "{{ wordpress_env_defaults | combine(item.value.env | default({}), vault_wordpress_sites[item.key].env) }}" +site_hosts_canonical: "{{ item.value.site_hosts | map(attribute='canonical') | list }}" +site_hosts_redirects: "{{ item.value.site_hosts | selectattr('redirects', 'defined') | sum(attribute='redirects', start=[]) | list }}" +site_hosts: "{{ site_hosts_canonical | union(site_hosts_redirects) }}" # Values of raw_vars will be wrapped in `{% raw %}` to avoid templating problems if values include `{%` and `{{`. # Will recurse dicts/lists. `*` is wildcard for one or more dict keys, list indices, or strings. Example: diff --git a/group_vars/development/wordpress_sites.yml b/group_vars/development/wordpress_sites.yml index 148cfdde91..5153ccc612 100644 --- a/group_vars/development/wordpress_sites.yml +++ b/group_vars/development/wordpress_sites.yml @@ -5,7 +5,9 @@ wordpress_sites: example.com: site_hosts: - - example.dev + - canonical: example.dev + redirects: + - www.example.dev local_path: ../site # path targeting local Bedrock site directory (relative to Ansible root) admin_email: admin@example.dev multisite: diff --git a/group_vars/production/wordpress_sites.yml b/group_vars/production/wordpress_sites.yml index 04bb0d2210..e8a875d1ca 100644 --- a/group_vars/production/wordpress_sites.yml +++ b/group_vars/production/wordpress_sites.yml @@ -5,7 +5,9 @@ wordpress_sites: example.com: site_hosts: - - example.com + - canonical: example.com + redirects: + - www.example.com local_path: ../site # path targeting local Bedrock site directory (relative to Ansible root) repo: git@github.com:example/example.com.git # replace with your Git repo URL repo_subtree_path: site # relative path to your Bedrock/WP directory in your repo diff --git a/group_vars/staging/wordpress_sites.yml b/group_vars/staging/wordpress_sites.yml index d9f5146e68..054770ea7a 100644 --- a/group_vars/staging/wordpress_sites.yml +++ b/group_vars/staging/wordpress_sites.yml @@ -5,7 +5,9 @@ wordpress_sites: example.com: site_hosts: - - staging.example.com + - canonical: staging.example.com + # redirects: + # - otherdomain.com local_path: ../site # path targeting local Bedrock site directory (relative to Ansible root) repo: git@github.com:example/example.com.git # replace with your Git repo URL repo_subtree_path: site # relative path to your Bedrock/WP directory in your repo diff --git a/lib/trellis/plugins/filter/filters.py b/lib/trellis/plugins/filter/filters.py index a242736c0f..1b2e0bb92e 100644 --- a/lib/trellis/plugins/filter/filters.py +++ b/lib/trellis/plugins/filter/filters.py @@ -7,37 +7,6 @@ from ansible import errors from ansible.compat.six import string_types -def reverse_www(hosts, enabled=True, append=True): - ''' Add or remove www subdomain ''' - - if not enabled: - return hosts - - # Check if hosts is a list and parse each host - if isinstance(hosts, (list, tuple, types.GeneratorType)): - reversed_hosts = [reverse_www(host) for host in hosts] - - if append: - return list(set(hosts + reversed_hosts)) - else: - return reversed_hosts - - # Add or remove www - elif isinstance(hosts, string_types): - host = hosts - - if host.startswith('www.'): - return host[4:] - else: - if len(host.split('.')) > 2: - return host - else: - return 'www.{0}'.format(host) - - # Handle invalid input type - else: - raise errors.AnsibleFilterError('The reverse_www filter expects a string or list of strings, got ' + repr(hosts)) - def to_env(dict_value): envs = ["{0}='{1}'".format(key.upper(), value) for key, value in sorted(dict_value.items())] return "\n".join(envs) @@ -51,7 +20,6 @@ class FilterModule(object): def filters(self): return { - 'reverse_www': reverse_www, 'to_env': to_env, 'underscore': underscore, } diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index c479afb3bd..d4c222266f 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -10,6 +10,13 @@ when: ansible_version is not defined or false in [{% for item in ansible_requirements %}{{ ansible_version.full | version_compare(item.version, item.operator) }},{% endfor %}] run_once: true +- name: Validate format of site_hosts + fail: + msg: "{{ lookup('template', 'site_hosts.j2') }}" + with_dict: "{{ wordpress_sites }}" + when: item.value.site_hosts | rejectattr('canonical', 'defined') | list | count + tags: [letsencrypt, wordpress] + - name: Update Apt apt: update_cache: yes diff --git a/roles/common/templates/site_hosts.j2 b/roles/common/templates/site_hosts.j2 new file mode 100644 index 0000000000..6ad7aa34a1 --- /dev/null +++ b/roles/common/templates/site_hosts.j2 @@ -0,0 +1,17 @@ +Required format for `site_hosts` (group_vars/{{ env }}/wordpress_sites.yml): + +example.com: + site_hosts: + - canonical: example.com + +The above is the minimum required. Multiple hosts and redirects are possible: + +example.com: + site_hosts: + - canonical: example.com + redirects: + - www.example.com + - site.com + - canonical: example.co.uk + redirects: + - www.example.co.uk diff --git a/roles/letsencrypt/tasks/certificates.yml b/roles/letsencrypt/tasks/certificates.yml index b74edbcb05..7629c2fc7f 100644 --- a/roles/letsencrypt/tasks/certificates.yml +++ b/roles/letsencrypt/tasks/certificates.yml @@ -15,19 +15,19 @@ tags: [letsencrypt_keys] - name: Generate CSRs for single domain keys - shell: openssl req -new -sha256 -key "{{ letsencrypt_keys_dir }}/{{ item.key }}.key" -subj "/CN={{ item.value.site_hosts[0] }}" > {{ acme_tiny_data_directory }}/csrs/{{ item.key }}.csr + shell: openssl req -new -sha256 -key "{{ letsencrypt_keys_dir }}/{{ item.key }}.key" -subj "/CN={{ item.value.site_hosts[0].canonical }}" > {{ acme_tiny_data_directory }}/csrs/{{ item.key }}.csr args: creates: "{{ acme_tiny_data_directory }}/csrs/{{ item.key }}.csr" - when: site_uses_letsencrypt and item.value.site_hosts | length == 1 and not item.value.www_redirect | default(true) + when: site_uses_letsencrypt and site_hosts | count == 1 with_dict: "{{ wordpress_sites }}" tags: [letsencrypt_keys] - name: Generate CSRs for multiple domain keys - shell: "openssl req -new -sha256 -key '{{ letsencrypt_keys_dir }}/{{ item.key }}.key' -subj '/' -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:{{ item.value.site_hosts | reverse_www(enabled=item.value.www_redirect | default(true)) | join(',DNS:') }}')) > {{ acme_tiny_data_directory }}/csrs/{{ item.key }}.csr" + shell: "openssl req -new -sha256 -key '{{ letsencrypt_keys_dir }}/{{ item.key }}.key' -subj '/' -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:{{ site_hosts | join(',DNS:') }}')) > {{ acme_tiny_data_directory }}/csrs/{{ item.key }}.csr" args: executable: /bin/bash creates: "{{ acme_tiny_data_directory }}/csrs/{{ item.key }}.csr" - when: site_uses_letsencrypt and item.value.www_redirect | default(true) + when: site_uses_letsencrypt and site_hosts | count > 1 with_dict: "{{ wordpress_sites }}" tags: [letsencrypt_keys] diff --git a/roles/letsencrypt/tasks/nginx.yml b/roles/letsencrypt/tasks/nginx.yml index 564cdf8488..9a637ec5c0 100644 --- a/roles/letsencrypt/tasks/nginx.yml +++ b/roles/letsencrypt/tasks/nginx.yml @@ -37,7 +37,7 @@ - name: Test Acme Challenges test_challenges: - hosts: "{{ item.value.site_hosts | reverse_www(enabled=item.value.www_redirect | default(true)) }}" + hosts: "{{ site_hosts }}" register: letsencrypt_test_challenges ignore_errors: true when: site_uses_letsencrypt diff --git a/roles/letsencrypt/templates/nginx-challenge-site.conf.j2 b/roles/letsencrypt/templates/nginx-challenge-site.conf.j2 index 7b80c271ce..6070698b74 100644 --- a/roles/letsencrypt/templates/nginx-challenge-site.conf.j2 +++ b/roles/letsencrypt/templates/nginx-challenge-site.conf.j2 @@ -1,5 +1,5 @@ server { listen 80; - server_name {{ item.item.value.site_hosts | reverse_www(enabled=item.item.value.www_redirect | default(true)) | join(' ') }}; + server_name{% for item in item.item.value.site_hosts %} {{ item.canonical }}{% for redirect in item.redirects | default([]) %} {{ redirect }}{% endfor %}{% endfor %}; include acme-challenge-location.conf; } diff --git a/roles/wordpress-setup/tasks/self-signed-certificate.yml b/roles/wordpress-setup/tasks/self-signed-certificate.yml index 9dda3e33d5..4f1aacd3f6 100644 --- a/roles/wordpress-setup/tasks/self-signed-certificate.yml +++ b/roles/wordpress-setup/tasks/self-signed-certificate.yml @@ -1,7 +1,7 @@ --- - name: Generate self-signed certificates shell: > - openssl req -subj "/CN={{ item.value.site_hosts | first }}" -new + openssl req -subj "/CN={{ item.value.site_hosts[0].canonical }}" -new -newkey rsa:2048 -days 3650 -nodes -x509 -sha256 -keyout {{ item.key }}.key -out {{ item.key }}.cert args: diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index cf68c6b4b3..2393e57500 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -7,7 +7,7 @@ server { listen 80; {% endif %} - server_name {% for host in item.value.site_hosts %} {{ host }} {% if item.value.multisite.subdomains | default(false) %} *.{{ host }} {% endif %} {% endfor %}; + server_name {% for host in site_hosts_canonical %}{{ host }} {% if item.value.multisite.subdomains | default(false) %}*.{{ host }} {% endif %}{% endfor %}; access_log {{ www_root }}/{{ item.key }}/logs/access.log; error_log {{ www_root }}/{{ item.key }}/logs/error.log; @@ -81,7 +81,7 @@ server { server { listen 80; - server_name {{ item.value.site_hosts | reverse_www(enabled=item.value.www_redirect | default(true)) | join(' ') }} {% if item.value.multisite.subdomains | default(false) %} *.{{ item.value.site_hosts | join(' *.') }} {% endif %}; + server_name {{ site_hosts | join(' ') }}{% if item.value.multisite.subdomains | default(false) %} *.{{ site_hosts_canonical | join(' *.') }}{% endif %}; {% if item.value.ssl.provider | default('manual') == 'letsencrypt' -%} include acme-challenge-location.conf; @@ -95,7 +95,7 @@ server { } {% endif %} -{% for host in item.value.site_hosts if item.value.www_redirect | default(true) %} +{% for host in item.value.site_hosts if host.redirects | default([]) %} server { {% if item.value.ssl is defined and item.value.ssl.enabled | default(false) -%} listen 443 ssl http2; @@ -105,16 +105,16 @@ server { listen 80; {% endif -%} - server_name {{ host | reverse_www(append=false) }}; + server_name {{ host.redirects | join(' ') }}; {% if item.value.ssl is not defined or not item.value.ssl.enabled | default(false) -%} include acme-challenge-location.conf; location / { - return 301 $scheme://{{ host }}$request_uri; + return 301 $scheme://{{ host.canonical }}$request_uri; } {% else %} - return 301 $scheme://{{ host }}$request_uri; + return 301 $scheme://{{ host.canonical }}$request_uri; {% endif %} } {% endfor %} From 7d7e104e0f072c01d036ead60efe40c80765a643 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Mon, 25 Jul 2016 18:38:16 -0700 Subject: [PATCH 030/292] Refactor mapping of site_hosts in Vagrantfile --- Vagrantfile | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/Vagrantfile b/Vagrantfile index ab014d33e8..08f3b3e884 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -49,20 +49,23 @@ Vagrant.configure('2') do |config| # Required for NFS to work config.vm.network :private_network, ip: ip, hostsupdater: 'skip' - wordpress_sites.flat_map { |(_name, site)| site['site_hosts'] }.each do |host| + site_hosts = wordpress_sites.flat_map { |(_name, site)| site['site_hosts'] } + + site_hosts.each do |host| if !host.is_a?(Hash) or !host.has_key?('canonical') fail_with_message File.read(File.join(ANSIBLE_PATH, 'roles/common/templates/site_hosts.j2')).sub!('{{ env }}', 'development').gsub!(/com$/, 'dev') end end - hostname, *aliases = wordpress_sites.flat_map { |(_name, site)| site['site_hosts'].map { |host| host['canonical'] } } - config.vm.hostname = hostname - redirects = wordpress_sites.flat_map { |(_name, site)| site['site_hosts'].select { |host| host.has_key?('redirects') }.flat_map { |host| host['redirects'] } } + main_hostname, *hostnames = site_hosts.map { |host| host['canonical'] } + config.vm.hostname = main_hostname + + redirects = site_hosts.flat_map { |host| host['redirects'] }.compact if Vagrant.has_plugin? 'vagrant-hostmanager' config.hostmanager.enabled = true config.hostmanager.manage_host = true - config.hostmanager.aliases = aliases + redirects + config.hostmanager.aliases = hostnames + redirects else fail_with_message "vagrant-hostmanager missing, please install the plugin with this command:\nvagrant plugin install vagrant-hostmanager" end From 716420795243618245dbe1c6c6bf1cdd507ae3ed Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Tue, 26 Jul 2016 08:26:50 -0700 Subject: [PATCH 031/292] Consolidate CSR-generation tasks --- roles/letsencrypt/tasks/certificates.yml | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/roles/letsencrypt/tasks/certificates.yml b/roles/letsencrypt/tasks/certificates.yml index 7629c2fc7f..d3e4405061 100644 --- a/roles/letsencrypt/tasks/certificates.yml +++ b/roles/letsencrypt/tasks/certificates.yml @@ -14,20 +14,12 @@ with_dict: "{{ wordpress_sites }}" tags: [letsencrypt_keys] -- name: Generate CSRs for single domain keys - shell: openssl req -new -sha256 -key "{{ letsencrypt_keys_dir }}/{{ item.key }}.key" -subj "/CN={{ item.value.site_hosts[0].canonical }}" > {{ acme_tiny_data_directory }}/csrs/{{ item.key }}.csr - args: - creates: "{{ acme_tiny_data_directory }}/csrs/{{ item.key }}.csr" - when: site_uses_letsencrypt and site_hosts | count == 1 - with_dict: "{{ wordpress_sites }}" - tags: [letsencrypt_keys] - -- name: Generate CSRs for multiple domain keys +- name: Generate CSRs shell: "openssl req -new -sha256 -key '{{ letsencrypt_keys_dir }}/{{ item.key }}.key' -subj '/' -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:{{ site_hosts | join(',DNS:') }}')) > {{ acme_tiny_data_directory }}/csrs/{{ item.key }}.csr" args: executable: /bin/bash creates: "{{ acme_tiny_data_directory }}/csrs/{{ item.key }}.csr" - when: site_uses_letsencrypt and site_hosts | count > 1 + when: site_uses_letsencrypt with_dict: "{{ wordpress_sites }}" tags: [letsencrypt_keys] From ff5347e0c7a05c633652c2cb9aa2c33caf6fdbd7 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Tue, 26 Jul 2016 13:05:07 -0700 Subject: [PATCH 032/292] Add changelog entry for site_hosts reformat --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 17f59863e0..d19d317bd3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Require explicit redirects and drop www_redirect ([#622](https://github.com/roots/trellis/pull/622)) * Fix #612 - Bump nginx_fastcgi_buffer_size to `8k` ([#620](https://github.com/roots/trellis/pull/620)) * Setup permalink structure for multisite installs too ([#617](https://github.com/roots/trellis/pull/617)) * Fix `wp_home` option in Multisite after install in development ([#616](https://github.com/roots/trellis/pull/616)) From 265dc4f471cc70006a065740486a7dc682f83d20 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Tue, 26 Jul 2016 18:10:43 -0700 Subject: [PATCH 033/292] Consolidate helper vars into helpers.yml --- group_vars/all/helpers.yml | 13 +++++++++++++ group_vars/all/main.yml | 14 -------------- 2 files changed, 13 insertions(+), 14 deletions(-) create mode 100644 group_vars/all/helpers.yml diff --git a/group_vars/all/helpers.yml b/group_vars/all/helpers.yml new file mode 100644 index 0000000000..a340a49fc2 --- /dev/null +++ b/group_vars/all/helpers.yml @@ -0,0 +1,13 @@ +wordpress_env_defaults: + db_host: localhost + db_name: "{{ item.key | underscore }}_{{ env }}" + db_user: "{{ item.key | underscore }}" + disable_wp_cron: true + wp_env: "{{ env }}" + wp_home: "{{ item.value.ssl.enabled | default(false) | ternary('https', 'http') }}://${HTTP_HOST}" + wp_siteurl: "${WP_HOME}/wp" + +site_env: "{{ wordpress_env_defaults | combine(item.value.env | default({}), vault_wordpress_sites[item.key].env) }}" +site_hosts_canonical: "{{ item.value.site_hosts | map(attribute='canonical') | list }}" +site_hosts_redirects: "{{ item.value.site_hosts | selectattr('redirects', 'defined') | sum(attribute='redirects', start=[]) | list }}" +site_hosts: "{{ site_hosts_canonical | union(site_hosts_redirects) }}" diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index 4a3a67a25f..5785141efb 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -7,20 +7,6 @@ www_root: /srv/www ip_whitelist: - "{{ lookup('pipe', 'curl -4 -s https://api.ipify.org') }}" -wordpress_env_defaults: - db_host: localhost - db_name: "{{ item.key | underscore }}_{{ env }}" - db_user: "{{ item.key | underscore }}" - disable_wp_cron: true - wp_env: "{{ env }}" - wp_home: "{{ item.value.ssl.enabled | default(false) | ternary('https', 'http') }}://${HTTP_HOST}" - wp_siteurl: "${WP_HOME}/wp" - -site_env: "{{ wordpress_env_defaults | combine(item.value.env | default({}), vault_wordpress_sites[item.key].env) }}" -site_hosts_canonical: "{{ item.value.site_hosts | map(attribute='canonical') | list }}" -site_hosts_redirects: "{{ item.value.site_hosts | selectattr('redirects', 'defined') | sum(attribute='redirects', start=[]) | list }}" -site_hosts: "{{ site_hosts_canonical | union(site_hosts_redirects) }}" - # Values of raw_vars will be wrapped in `{% raw %}` to avoid templating problems if values include `{%` and `{{`. # Will recurse dicts/lists. `*` is wildcard for one or more dict keys, list indices, or strings. Example: # - vault_wordpress_sites.*.*_salt -- matches vault_wordpress_sites.example.com.env.secure_auth_salt etc. From f07bf72bcd5d7107c6f1aeeb042eb8b06cf8cee3 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 7 May 2016 00:09:06 -0400 Subject: [PATCH 034/292] Fix #581 - Use WP-CLI to run WP cron https://github.com/roots/trellis/pull/533 caused a regression in the cron job which runs `wp-cron.php`. Since `wp_home` and `wp_siteurl` were changed to use bash and PHP variables, the cron command wouldn't work. The solution is to avoid this and use WP-CLI's `cron` command for running due cron events. --- CHANGELOG.md | 1 + roles/wordpress-setup/tasks/main.yml | 2 +- roles/wp-cli/defaults/main.yml | 2 +- roles/wp-cli/tasks/main.yml | 1 + 4 files changed, 4 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d19d317bd3..92d5a93e25 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Fix #581 - Use WP-CLI to run WP cron ([#583](https://github.com/roots/trellis/pull/583)) * Require explicit redirects and drop www_redirect ([#622](https://github.com/roots/trellis/pull/622)) * Fix #612 - Bump nginx_fastcgi_buffer_size to `8k` ([#620](https://github.com/roots/trellis/pull/620)) * Setup permalink structure for multisite installs too ([#617](https://github.com/roots/trellis/pull/617)) diff --git a/roles/wordpress-setup/tasks/main.yml b/roles/wordpress-setup/tasks/main.yml index 2d4fcdff61..93a1aeca8c 100644 --- a/roles/wordpress-setup/tasks/main.yml +++ b/roles/wordpress-setup/tasks/main.yml @@ -30,7 +30,7 @@ name: "{{ item.key }} WordPress cron" minute: "*/15" user: "{{ web_user }}" - job: "curl -k -s {{ site_env.wp_siteurl }}/wp-cron.php > /dev/null 2>&1" + job: "cd {{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }} && wp cron event run --due-now" cron_file: "wordpress-{{ item.key | replace('.', '_') }}" with_dict: "{{ wordpress_sites }}" when: site_env.disable_wp_cron and not item.value.multisite.enabled | default(false) diff --git a/roles/wp-cli/defaults/main.yml b/roles/wp-cli/defaults/main.yml index 7fb8e2df3c..437472c40c 100644 --- a/roles/wp-cli/defaults/main.yml +++ b/roles/wp-cli/defaults/main.yml @@ -1,4 +1,4 @@ -wp_cli_version: 0.23.1 +wp_cli_version: 0.24.0 wp_cli_bin_path: /usr/bin/wp wp_cli_phar_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar" wp_cli_completion_url: "https://raw.githubusercontent.com/wp-cli/wp-cli/v{{ wp_cli_version }}/utils/wp-completion.bash" diff --git a/roles/wp-cli/tasks/main.yml b/roles/wp-cli/tasks/main.yml index d4bfadd4f6..5827479283 100644 --- a/roles/wp-cli/tasks/main.yml +++ b/roles/wp-cli/tasks/main.yml @@ -3,6 +3,7 @@ get_url: url: "{{ wp_cli_phar_url }}" dest: "{{ wp_cli_bin_path }}" + force: true mode: 0755 - name: Retrieve WP-CLI tab completions From 9231012d06352c2e8740f793d2f48b36be6ef185 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Wed, 6 Jul 2016 21:27:24 -0600 Subject: [PATCH 035/292] Add vault_users for easier password management Automates password hashing and become pass submission. --- CHANGELOG.md | 1 + group_vars/all/security.yml | 2 +- group_vars/all/users.yml | 2 +- group_vars/production/main.yml | 1 - group_vars/production/vault.yml | 6 ++++-- group_vars/staging/main.yml | 1 - group_vars/staging/vault.yml | 6 ++++-- lib/trellis/plugins/vars/vars.py | 8 ++++++++ roles/remote-user/tasks/main.yml | 6 ++++++ roles/users/tasks/main.yml | 15 ++++++++++----- 10 files changed, 35 insertions(+), 13 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 92d5a93e25..6f70e37f58 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Add `vault_users` for easier password management ([#614](https://github.com/roots/trellis/pull/614)) * Fix #581 - Use WP-CLI to run WP cron ([#583](https://github.com/roots/trellis/pull/583)) * Require explicit redirects and drop www_redirect ([#622](https://github.com/roots/trellis/pull/622)) * Fix #612 - Bump nginx_fastcgi_buffer_size to `8k` ([#620](https://github.com/roots/trellis/pull/620)) diff --git a/group_vars/all/security.yml b/group_vars/all/security.yml index 240bbdcf7f..2d9df3d3b9 100644 --- a/group_vars/all/security.yml +++ b/group_vars/all/security.yml @@ -12,6 +12,6 @@ ferm_input_list: # Documentation: https://roots.io/trellis/docs/security/ # If sshd_permit_root_login: false, admin_user must be in 'users' (`group_vars/all/users.yml`) with sudo group -# and in 'vault_sudoer_passwords' (`group_vars/staging/vault.yml`, `group_vars/production/vault.yml`) +# and in 'vault_users' (`group_vars/staging/vault.yml`, `group_vars/production/vault.yml`) sshd_permit_root_login: true sshd_password_authentication: false diff --git a/group_vars/all/users.yml b/group_vars/all/users.yml index 20aa232f12..2e3b75ead6 100644 --- a/group_vars/all/users.yml +++ b/group_vars/all/users.yml @@ -1,7 +1,7 @@ # Documentation: https://roots.io/trellis/docs/ssh-keys/ admin_user: admin -# Also define 'vault_sudoer_passwords' (`group_vars/staging/vault.yml`, `group_vars/production/vault.yml`) +# Also define 'vault_users' (`group_vars/staging/vault.yml`, `group_vars/production/vault.yml`) users: - name: "{{ web_user }}" groups: diff --git a/group_vars/production/main.yml b/group_vars/production/main.yml index 8cbdb695a0..0a2d528829 100644 --- a/group_vars/production/main.yml +++ b/group_vars/production/main.yml @@ -1,2 +1 @@ mysql_root_password: "{{ vault_mysql_root_password }}" # Define this variable in group_vars/production/vault.yml -sudoer_passwords: "{{ vault_sudoer_passwords }}" # Define this variable in group_vars/production/vault.yml diff --git a/group_vars/production/vault.yml b/group_vars/production/vault.yml index 7bb5f5e19b..4cad0ed0ab 100644 --- a/group_vars/production/vault.yml +++ b/group_vars/production/vault.yml @@ -2,8 +2,10 @@ vault_mysql_root_password: productionpw # Documentation: https://roots.io/trellis/docs/security/ -vault_sudoer_passwords: - admin: $6$rounds=100000$JUkj1d3hCa6uFp6R$3rZ8jImyCpTP40e4I5APx7SbBvDCM8fB6GP/IGOrsk/GEUTUhl1i/Q2JNOpj9ashLpkgaCxqMqbFKdZdmAh26/ +vault_users: + - name: "{{ admin_user }}" + password: example_password + salt: "generateme" # Variables to accompany `group_vars/production/wordpress_sites.yml` # Note: the site name (`example.com`) must match up with the site name in the above file. diff --git a/group_vars/staging/main.yml b/group_vars/staging/main.yml index d6e975bdc7..4854eb0b2b 100644 --- a/group_vars/staging/main.yml +++ b/group_vars/staging/main.yml @@ -1,2 +1 @@ mysql_root_password: "{{ vault_mysql_root_password }}" # Define this variable in group_vars/staging/vault.yml -sudoer_passwords: "{{ vault_sudoer_passwords }}" # Define this variable in group_vars/staging/vault.yml diff --git a/group_vars/staging/vault.yml b/group_vars/staging/vault.yml index edb82a96a7..754b854483 100644 --- a/group_vars/staging/vault.yml +++ b/group_vars/staging/vault.yml @@ -2,8 +2,10 @@ vault_mysql_root_password: stagingpw # Documentation: https://roots.io/trellis/docs/security/ -vault_sudoer_passwords: - admin: $6$rounds=100000$JUkj1d3hCa6uFp6R$3rZ8jImyCpTP40e4I5APx7SbBvDCM8fB6GP/IGOrsk/GEUTUhl1i/Q2JNOpj9ashLpkgaCxqMqbFKdZdmAh26/ +vault_users: + - name: "{{ admin_user }}" + password: example_password + salt: "generateme" # Variables to accompany `group_vars/staging/wordpress_sites.yml` # Note: the site name (`example.com`) must match up with the site name in the above file. diff --git a/lib/trellis/plugins/vars/vars.py b/lib/trellis/plugins/vars/vars.py index e55242ecb6..f3f42b5263 100644 --- a/lib/trellis/plugins/vars/vars.py +++ b/lib/trellis/plugins/vars/vars.py @@ -2,6 +2,7 @@ __metaclass__ = type import re +import sys from ansible import __version__ from ansible.errors import AnsibleError @@ -16,6 +17,12 @@ from ansible.parsing.yaml.objects import AnsibleMapping, AnsibleSequence, AnsibleUnicode from ansible.template import Templar +try: + import passlib.hash +except: + if sys.platform.startswith('darwin'): + raise AnsibleError('Ansible on OS X requires the python passlib module to create user password hashes.\nsudo easy_install pip\npip install passlib') + class VarsModule(object): ''' Creates and modifies host variables ''' @@ -79,4 +86,5 @@ def get_host_vars(self, host, vault_password=None): self.raw_vars(host, host.get_group_vars()) host.vars['cli_options'] = self.cli_options() host.vars['cli_ask_pass'] = getattr(self._options, 'ask_pass', False) + host.vars['cli_ask_become_pass'] = getattr(self._options, 'become_ask_pass', False) return {} diff --git a/roles/remote-user/tasks/main.yml b/roles/remote-user/tasks/main.yml index 440ad1773c..f51cfcf87c 100644 --- a/roles/remote-user/tasks/main.yml +++ b/roles/remote-user/tasks/main.yml @@ -23,3 +23,9 @@ - name: Announce which user was selected debug: msg: "Note: Ansible will attempt connections as user = {{ ansible_user }}" + +- name: Load become password + set_fact: + ansible_become_pass: "{% for user in vault_users | default([]) if user.name == ansible_user and user.password is defined %}{% if loop.first %}{{ user.password }}{% endif %}{% endfor %}" + when: ansible_user != 'root' and not cli_ask_become_pass | default(false) and ansible_become_pass is not defined + no_log: true diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml index c64b8fea8e..cfca1abb2c 100644 --- a/roles/users/tasks/main.yml +++ b/roles/users/tasks/main.yml @@ -15,10 +15,15 @@ - name: Fail if root login will be disabled but admin_user will not be a sudoer assert: that: - - "{{ admin_user in (users | map(attribute='name') | list) }}" - - "{% for item in users if item.name == admin_user %}{{ 'sudo' in item.groups }}{% endfor %}" - - "{{ admin_user in sudoer_passwords.keys() }}" - msg: "When `sshd_permit_root_login: false`, you must add `sudo` to the `groups` for admin_user (in `users` hash), and set a password for admin_user in `sudoer_passwords`. Otherwise Ansible could lose the ability to run the necessary sudo commands." + - "{% for user in users if user.name == admin_user %}{% if loop.first %}{{ 'sudo' in user.groups }}{% endif %}{% else %}{{ false }}{% endfor %}" + - "{% for user in vault_users | default([]) if user.name == admin_user %}{% if loop.first %}{{ user.password is defined }}{% endif %}{% else %}{{ false }}{% endfor %}" + msg: | + When `sshd_permit_root_login: false`, you must add `sudo` to the `groups` for admin_user (in `users` hash), and set a password for admin_user in `vault_users` (in `group_vars/{{ env }}/vault.yml`). Otherwise Ansible could lose the ability to run the necessary sudo commands. {% if sudoer_passwords is defined or vault_sudoer_passwords is defined %} + + + Please note that `sudoer_passwords` and `vault_sudoer_passwords have been replaced with `vault_users`. {% endif %} + More info: + > https://roots.io/trellis/docs/security/#admin-user-sudoer-password when: not sshd_permit_root_login tags: sshd @@ -27,7 +32,7 @@ name: "{{ item.name }}" group: "{{ item.groups[0] }}" groups: "{{ item.groups | join(',') }}" - password: "{{ sudoer_passwords[item.name] | default(None) }}" + password: "{% for user in vault_users | default([]) if user.name == item.name and user.password is defined %}{% if loop.first %}{{ user.password | password_hash('sha512', user.salt | default(None)) }}{% endif %}{% else %}{{ None }}{% endfor %}" state: present shell: /bin/bash update_password: always From 41cee8334fc803ade0686d056094653918f8cf94 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sat, 23 Jul 2016 02:54:19 -0600 Subject: [PATCH 036/292] Accommodate BREAKING tag in changelog --- CHANGELOG.md | 4 ++-- lib/trellis/utils/output.py | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6f70e37f58..bd263514a6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,7 +1,7 @@ ### HEAD -* Add `vault_users` for easier password management ([#614](https://github.com/roots/trellis/pull/614)) +* [BREAKING] Add `vault_users` for easier password management ([#614](https://github.com/roots/trellis/pull/614)) * Fix #581 - Use WP-CLI to run WP cron ([#583](https://github.com/roots/trellis/pull/583)) -* Require explicit redirects and drop www_redirect ([#622](https://github.com/roots/trellis/pull/622)) +* [BREAKING] Require explicit redirects and drop `www_redirect` ([#622](https://github.com/roots/trellis/pull/622)) * Fix #612 - Bump nginx_fastcgi_buffer_size to `8k` ([#620](https://github.com/roots/trellis/pull/620)) * Setup permalink structure for multisite installs too ([#617](https://github.com/roots/trellis/pull/617)) * Fix `wp_home` option in Multisite after install in development ([#616](https://github.com/roots/trellis/pull/616)) diff --git a/lib/trellis/utils/output.py b/lib/trellis/utils/output.py index 63fdee8f06..8b54dc63cc 100644 --- a/lib/trellis/utils/output.py +++ b/lib/trellis/utils/output.py @@ -27,9 +27,9 @@ def system(vagrant_version=None): # Retrieve most recent changelog entry else: - change = re.search(r'.*\n\*\s*([^\(\n\[]+)', str) + change = re.search(r'^\*\s?(\[BREAKING\])?([^\(\n\[]+)', str, re.M|re.I) if change is not None: - changelog_msg = '\n Trellis at "{0}"'.format(change.group(1).strip()) + changelog_msg = '\n Trellis at "{0}"'.format(change.group(2).strip()) # Vagrant info, if available vagrant = ' Vagrant {0};'.format(vagrant_version) if vagrant_version else '' From fab6981714d0ccb8550e8f50f47ac939cd57792a Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Mon, 1 Aug 2016 20:56:07 -0600 Subject: [PATCH 037/292] Update acme-tiny for new Let's Encrypt agreement URL --- roles/letsencrypt/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/letsencrypt/defaults/main.yml b/roles/letsencrypt/defaults/main.yml index 900e70caf5..e97eb7ca01 100644 --- a/roles/letsencrypt/defaults/main.yml +++ b/roles/letsencrypt/defaults/main.yml @@ -4,7 +4,7 @@ site_uses_letsencrypt: "{{ item.value.ssl is defined and item.value.ssl.enabled sites_need_confs: "False in [{% for item in nginx_confs.results if 'stat' in item %}{{ item.stat.exists }},{% endfor %}]" acme_tiny_repo: 'https://github.com/diafygi/acme-tiny.git' -acme_tiny_commit: '69a457269a6392ac31b629b4e103e8ea7dd282c9' +acme_tiny_commit: '5a7b4e79bc9bd5b51739c0d8aaf644f62cc440e6' acme_tiny_software_directory: /usr/local/letsencrypt acme_tiny_data_directory: /var/lib/letsencrypt From 356e18855dabb8b24310443f5adeff89d64e57b0 Mon Sep 17 00:00:00 2001 From: Paul Tibbetts Date: Tue, 2 Aug 2016 20:51:42 -0400 Subject: [PATCH 038/292] Upgrade to Ubuntu 16.04 Xenial --- CHANGELOG.md | 1 + README.md | 4 ++-- Vagrantfile | 6 ++---- roles/remote-user/tasks/main.yml | 4 ++-- server.yml | 8 ++++++++ 5 files changed, 15 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bd263514a6..c030061501 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* [BREAKING] Upgrade Ubuntu from 14.04 Trusty to 16.04 Xenial ([#626](https://github.com/roots/trellis/pull/626)) * [BREAKING] Add `vault_users` for easier password management ([#614](https://github.com/roots/trellis/pull/614)) * Fix #581 - Use WP-CLI to run WP cron ([#583](https://github.com/roots/trellis/pull/583)) * [BREAKING] Require explicit redirects and drop `www_redirect` ([#622](https://github.com/roots/trellis/pull/622)) diff --git a/README.md b/README.md index 599ce0e165..2ab42a427b 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,7 @@ Ansible playbooks for setting up a LEMP stack for WordPress. Trellis will configure a server with the following and more: -* Ubuntu 14.04 Trusty LTS +* Ubuntu 16.04 Xenial LTS * Nginx (with optional FastCGI micro-caching) * PHP 7.0 * MariaDB (a drop-in MySQL replacement) @@ -33,7 +33,7 @@ Make sure all dependencies have been installed before moving on: * [Ansible](http://docs.ansible.com/ansible/intro_installation.html#latest-releases-via-pip) 2.0.2 * [Virtualbox](https://www.virtualbox.org/wiki/Downloads) >= 4.3.10 -* [Vagrant](https://releases.hashicorp.com/vagrant/1.8.1/) 1.8.1 +* [Vagrant](https://www.vagrantup.com/downloads.html) >= 1.8.5 * [vagrant-bindfs](https://github.com/gael-ian/vagrant-bindfs#installation) >= 0.3.1 (Windows users may skip this) * [vagrant-hostmanager](https://github.com/smdahlen/vagrant-hostmanager#installation) diff --git a/Vagrantfile b/Vagrantfile index 08f3b3e884..611735a426 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -34,10 +34,10 @@ if !Dir.exists?(ENV['ANSIBLE_ROLES_PATH']) && !Vagrant::Util::Platform.windows? fail_with_message "You are missing the required Ansible Galaxy roles, please install them with this command:\nansible-galaxy install -r requirements.yml" end -Vagrant.require_version '>= 1.5.1' +Vagrant.require_version '>= 1.8.5' Vagrant.configure('2') do |config| - config.vm.box = 'ubuntu/trusty64' + config.vm.box = 'bento/ubuntu-16.04' config.ssh.forward_agent = true config.vm.post_up_message = post_up_message @@ -122,7 +122,6 @@ Vagrant.configure('2') do |config| # VMware Workstation/Fusion settings ['vmware_fusion', 'vmware_workstation'].each do |provider| config.vm.provider provider do |vmw, override| - override.vm.box = 'puppetlabs/ubuntu-14.04-64-nocm' vmw.name = config.vm.hostname vmw.vmx['numvcpus'] = cpus vmw.vmx['memsize'] = memory @@ -131,7 +130,6 @@ Vagrant.configure('2') do |config| # Parallels settings config.vm.provider 'parallels' do |prl, override| - override.vm.box = 'parallels/ubuntu-14.04' prl.name = config.vm.hostname prl.cpus = cpus prl.memory = memory diff --git a/roles/remote-user/tasks/main.yml b/roles/remote-user/tasks/main.yml index f51cfcf87c..41c2abf673 100644 --- a/roles/remote-user/tasks/main.yml +++ b/roles/remote-user/tasks/main.yml @@ -8,7 +8,7 @@ when: cli_ask_pass | default(false) - name: Check whether Ansible can connect as root - local_action: command ansible {{ inventory_hostname }} -m ping -u root {{ cli_options | default('') }} + local_action: command ansible {{ inventory_hostname }} -m raw -a whoami -u root {{ cli_options | default('') }} failed_when: false changed_when: false register: root_status @@ -16,7 +16,7 @@ - name: Set remote user for each host set_fact: - ansible_user: "{{ root_status | default({'failed':false}) | success | ternary('root', admin_user) }}" + ansible_user: "{{ ('root' in root_status.stdout_lines) | ternary('root', admin_user) }}" when: ansible_user is not defined diff --git a/server.yml b/server.yml index e422a67537..b53b063a28 100644 --- a/server.yml +++ b/server.yml @@ -9,6 +9,14 @@ roles: - { role: remote-user, tags: [remote-user, always] } +- name: Install prerequisites + hosts: web:&{{ env }} + gather_facts: false + become: yes + tasks: + - name: Install Python 2.x + raw: sudo apt-get install -qq -y python-simplejson + - name: WordPress Server - Install LEMP Stack with PHP 7.0 and MariaDB MySQL hosts: web:&{{ env }} become: yes From 09a52211b28d078067adfcde9b028e465d47a530 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 2 Aug 2016 23:29:23 -0400 Subject: [PATCH 039/292] Add validation task for Ubuntu version --- roles/common/tasks/main.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index d4c222266f..99bd894468 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -17,6 +17,23 @@ when: item.value.site_hosts | rejectattr('canonical', 'defined') | list | count tags: [letsencrypt, wordpress] +- name: Validate Ubuntu version + debug: + msg: | + Trellis is built for Ubuntu 16.04 Xenial as of https://github.com/roots/trellis/pull/626 + + Your Ubuntu version is {{ ansible_distribution_version }} {{ ansible_distribution_release }} + + We recommend you re-create your server to get the best experience. + + Note: both of these methods will delete all your existing data. It's up to you to backup what's needed and restore it. + + Development via Vagrant: `vagrant destroy && vagrant up` + + Staging/Production: Create a new server with Ubuntu 16.04 and provision + when: ansible_distribution_release == 'trusty' + run_once: true + - name: Update Apt apt: update_cache: yes From 221b5b1e2be92f6b4fe01e2b3d164edcd6d8b9df Mon Sep 17 00:00:00 2001 From: Ben Word Date: Wed, 3 Aug 2016 09:28:25 -0600 Subject: [PATCH 040/292] Update reference to Ubuntu version [ci skip] --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 2ab42a427b..8aa1b73698 100644 --- a/README.md +++ b/README.md @@ -72,7 +72,7 @@ Trellis documentation is available at [https://roots.io/trellis/docs/](https://r ## Remote server setup (staging/production) -A base Ubuntu 14.04 server is required for setting up remote servers. +A base Ubuntu 16.04 server is required for setting up remote servers. 1. Configure your WordPress sites in `group_vars//wordpress_sites.yml` and in `group_vars//vault.yml` (see the [Vault docs](https://roots.io/trellis/docs/vault/) for how to encrypt files containing passwords) 2. Add your server IP/hostnames to `hosts/` From 8c8035ef4a5c2fe9e3ecc80fa48ed0ab0feaea7b Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Wed, 3 Aug 2016 13:06:35 -0600 Subject: [PATCH 041/292] Add vault_users patterns to raw_vars --- group_vars/all/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index 5785141efb..daa4cecea3 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -14,4 +14,6 @@ ip_whitelist: raw_vars: - vault_mail_password - vault_mysql_root_password + - vault_users.*.password + - vault_users.*.salt - vault_wordpress_sites From 46ceb643706da8f75bb57b183a21470b2c6f4392 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Wed, 3 Aug 2016 19:23:56 -0600 Subject: [PATCH 042/292] Transform vault_user salts into allowable chars Ansible's password_hash filter uses crypt functions that limit salts to 0-16 chars from the regexp range [./a-zA-Z0-9] --- roles/users/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml index cfca1abb2c..eda1098472 100644 --- a/roles/users/tasks/main.yml +++ b/roles/users/tasks/main.yml @@ -32,7 +32,7 @@ name: "{{ item.name }}" group: "{{ item.groups[0] }}" groups: "{{ item.groups | join(',') }}" - password: "{% for user in vault_users | default([]) if user.name == item.name and user.password is defined %}{% if loop.first %}{{ user.password | password_hash('sha512', user.salt | default(None)) }}{% endif %}{% else %}{{ None }}{% endfor %}" + password: '{% for user in vault_users | default([]) if user.name == item.name and user.password is defined %}{% if loop.first %}{{ user.password | password_hash("sha512", user.salt[:16] | default(None) | regex_replace("[^\.\/a-zA-Z0-9]", "x")) }}{% endif %}{% else %}{{ None }}{% endfor %}' state: present shell: /bin/bash update_password: always From 8b770d75f3b8f008e74f9335b0a0da1b40168a24 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Fri, 5 Aug 2016 18:42:26 -0600 Subject: [PATCH 043/292] Adjust ansible_user and reload_nginx handler for Ansible 2.1 --- roles/common/tasks/reload_nginx.yml | 8 +++----- roles/remote-user/tasks/main.yml | 32 ++++++++++++++--------------- 2 files changed, 18 insertions(+), 22 deletions(-) diff --git a/roles/common/tasks/reload_nginx.yml b/roles/common/tasks/reload_nginx.yml index f8e32d2890..c0af12e9c1 100644 --- a/roles/common/tasks/reload_nginx.yml +++ b/roles/common/tasks/reload_nginx.yml @@ -1,12 +1,10 @@ --- -- name: test nginx conf +- name: reload nginx command: nginx -t register: nginx_test - changed_when: false + notify: "{{ (ansible_version.full | version_compare('2.1.1.0', '>=') and role_path | basename == 'common') | ternary('perform nginx reload', omit) }}" -- name: reload nginx +- name: perform nginx reload service: name: nginx state: reloaded - when: nginx_test | success - changed_when: false diff --git a/roles/remote-user/tasks/main.yml b/roles/remote-user/tasks/main.yml index 41c2abf673..ffdd66d2e9 100644 --- a/roles/remote-user/tasks/main.yml +++ b/roles/remote-user/tasks/main.yml @@ -1,23 +1,21 @@ --- -- block: - - name: Require manual definition of remote-user - fail: - msg: | - When using `--ask-pass` option, use `-u` option to define remote-user: - ansible-playbook server.yml -e env={{ env }} -u root --ask-pass - when: cli_ask_pass | default(false) +- name: Require manual definition of remote-user + fail: + msg: | + When using `--ask-pass` option, use `-u` option to define remote-user: + ansible-playbook server.yml -e env={{ env }} -u root --ask-pass + when: ansible_user is not defined and cli_ask_pass | default(false) - - name: Check whether Ansible can connect as root - local_action: command ansible {{ inventory_hostname }} -m raw -a whoami -u root {{ cli_options | default('') }} - failed_when: false - changed_when: false - register: root_status - tags: [connection-tests] - - - name: Set remote user for each host - set_fact: - ansible_user: "{{ ('root' in root_status.stdout_lines) | ternary('root', admin_user) }}" +- name: Check whether Ansible can connect as root + local_action: command ansible {{ inventory_hostname }} -m raw -a whoami -u root {{ cli_options | default('') }} + failed_when: false + changed_when: false + register: root_status + tags: [connection-tests] +- name: Set remote user for each host + set_fact: + ansible_user: "{{ ('root' in root_status.stdout_lines) | ternary('root', admin_user) }}" when: ansible_user is not defined - name: Announce which user was selected From 5e569c341ac3a6978044df790ce4fd9afd670db6 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sat, 6 Aug 2016 11:46:03 -0600 Subject: [PATCH 044/292] Restore Vagrant version to system info fail output --- lib/trellis/plugins/callback/output.py | 1 + lib/trellis/utils/output.py | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/trellis/plugins/callback/output.py b/lib/trellis/plugins/callback/output.py index d566b69888..4bad319b2e 100644 --- a/lib/trellis/plugins/callback/output.py +++ b/lib/trellis/plugins/callback/output.py @@ -27,6 +27,7 @@ class CallbackModule(CallbackModule_default): def __init__(self): super(CallbackModule, self).__init__() output.reset_task_info(self) + self.vagrant_version = None def v2_runner_on_failed(self, result, ignore_errors=False): self.task_failed = True diff --git a/lib/trellis/utils/output.py b/lib/trellis/utils/output.py index 8b54dc63cc..7de83d0b49 100644 --- a/lib/trellis/utils/output.py +++ b/lib/trellis/utils/output.py @@ -42,7 +42,6 @@ def reset_task_info(obj, task=None): obj.first_host = True obj.first_item = True obj.task_failed = False - obj.vagrant_version = None # Display dict key only, instead of full json dump def replace_item_with_key(obj, result): From acda017e9fa53bd6163f1c09cd48c309fbc2553e Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 6 Aug 2016 18:11:48 -0400 Subject: [PATCH 045/292] Bump CHANGELOG --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index c030061501..02f7797fda 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Ansible 2.1 compatibility fixes ([#631](https://github.com/roots/trellis/pull/631)) * [BREAKING] Upgrade Ubuntu from 14.04 Trusty to 16.04 Xenial ([#626](https://github.com/roots/trellis/pull/626)) * [BREAKING] Add `vault_users` for easier password management ([#614](https://github.com/roots/trellis/pull/614)) * Fix #581 - Use WP-CLI to run WP cron ([#583](https://github.com/roots/trellis/pull/583)) From 7736334bb143cf6ee56adc9db597785c09acf67d Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sun, 14 Aug 2016 20:47:07 -0400 Subject: [PATCH 046/292] 0.9.8 CHANGELOG --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 02f7797fda..013b673049 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,4 @@ -### HEAD +### 0.9.8: August 14th, 2016 * Ansible 2.1 compatibility fixes ([#631](https://github.com/roots/trellis/pull/631)) * [BREAKING] Upgrade Ubuntu from 14.04 Trusty to 16.04 Xenial ([#626](https://github.com/roots/trellis/pull/626)) * [BREAKING] Add `vault_users` for easier password management ([#614](https://github.com/roots/trellis/pull/614)) From 84c184cb2178f1787292912c7b402ee9cff8e5b4 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 19 Aug 2016 08:45:11 -0400 Subject: [PATCH 047/292] Fix #639 - WP 4.6 compat: update WP-CLI to 0.24.1 --- CHANGELOG.md | 3 +++ roles/wp-cli/defaults/main.yml | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 013b673049..a42dce516a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +### HEAD +* Fix #639 - WP 4.6 compatibility: update WP-CLI to 0.24.1 ([#640](https://github.com/roots/trellis/pull/640)) + ### 0.9.8: August 14th, 2016 * Ansible 2.1 compatibility fixes ([#631](https://github.com/roots/trellis/pull/631)) * [BREAKING] Upgrade Ubuntu from 14.04 Trusty to 16.04 Xenial ([#626](https://github.com/roots/trellis/pull/626)) diff --git a/roles/wp-cli/defaults/main.yml b/roles/wp-cli/defaults/main.yml index 437472c40c..71a1e5ee02 100644 --- a/roles/wp-cli/defaults/main.yml +++ b/roles/wp-cli/defaults/main.yml @@ -1,4 +1,4 @@ -wp_cli_version: 0.24.0 +wp_cli_version: 0.24.1 wp_cli_bin_path: /usr/bin/wp wp_cli_phar_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar" wp_cli_completion_url: "https://raw.githubusercontent.com/wp-cli/wp-cli/v{{ wp_cli_version }}/utils/wp-completion.bash" From d87a10ec450fd51fa9bb2106b8e23c151f40fb3d Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sat, 27 Aug 2016 16:23:07 -0600 Subject: [PATCH 048/292] Create WordPress php-fpm conf after web_root exists --- roles/php/tasks/main.yml | 6 ------ roles/wordpress-setup/tasks/main.yml | 6 ++++++ roles/{php => wordpress-setup}/templates/php-fpm.conf.j2 | 0 3 files changed, 6 insertions(+), 6 deletions(-) rename roles/{php => wordpress-setup}/templates/php-fpm.conf.j2 (100%) diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml index 47eb9823c1..ee0a5d49ed 100644 --- a/roles/php/tasks/main.yml +++ b/roles/php/tasks/main.yml @@ -59,9 +59,3 @@ src: php.ini.j2 dest: /etc/php/7.0/fpm/php.ini notify: reload php-fpm - -- name: php-fpm configuration file - template: - src: php-fpm.conf.j2 - dest: /etc/php/7.0/fpm/pool.d/wordpress.conf - notify: reload php-fpm diff --git a/roles/wordpress-setup/tasks/main.yml b/roles/wordpress-setup/tasks/main.yml index 93a1aeca8c..3eead39622 100644 --- a/roles/wordpress-setup/tasks/main.yml +++ b/roles/wordpress-setup/tasks/main.yml @@ -22,6 +22,12 @@ state: directory with_dict: "{{ wordpress_sites }}" +- name: Create WordPress php-fpm configuration file + template: + src: php-fpm.conf.j2 + dest: /etc/php/7.0/fpm/pool.d/wordpress.conf + notify: reload php-fpm + - include: nginx.yml tags: wordpress-setup-nginx diff --git a/roles/php/templates/php-fpm.conf.j2 b/roles/wordpress-setup/templates/php-fpm.conf.j2 similarity index 100% rename from roles/php/templates/php-fpm.conf.j2 rename to roles/wordpress-setup/templates/php-fpm.conf.j2 From def7dfbc8ade43c474ac77dacf71e747b5f2b793 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sat, 27 Aug 2016 17:26:28 -0600 Subject: [PATCH 049/292] Fix condition for permalink structure task --- roles/wordpress-install/tasks/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/wordpress-install/tasks/main.yml b/roles/wordpress-install/tasks/main.yml index 83c9bd7c8f..91e89d3529 100644 --- a/roles/wordpress-install/tasks/main.yml +++ b/roles/wordpress-install/tasks/main.yml @@ -51,17 +51,17 @@ --admin_email="{{ item.value.admin_email }}" args: chdir: "{{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/" - register: wp_install_results + register: wp_multisite_install_results with_dict: "{{ wordpress_sites }}" when: item.value.site_install | default(true) and item.value.multisite.enabled | default(false) - changed_when: "'The network already exists.' not in wp_install_results.stdout" + changed_when: "'The network already exists.' not in wp_multisite_install_results.stdout" - name: Setup Permalink Structure command: wp rewrite structure {{ item.value.initial_permalink_structure | default("/%postname%/") }} --allow-root args: chdir: "{{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/" with_dict: "{{ wordpress_sites }}" - when: wp_install_results | changed + when: wp_install_results | changed or wp_multisite_install_results | changed - name: Update WP Multisite Home URL command: wp option update home {{ site_env.wp_home }} --allow-root From 5182fc3aaa1d4700aba5962af2e536850956e277 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sat, 27 Aug 2016 23:15:03 -0600 Subject: [PATCH 050/292] Update README requirements re: Ansible and passlib --- README.md | 4 ++-- lib/trellis/plugins/vars/vars.py | 17 +++++++++++------ roles/common/tasks/main.yml | 10 ++++++++++ 3 files changed, 23 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 8aa1b73698..4289152bd9 100644 --- a/README.md +++ b/README.md @@ -31,7 +31,7 @@ Trellis will configure a server with the following and more: Make sure all dependencies have been installed before moving on: -* [Ansible](http://docs.ansible.com/ansible/intro_installation.html#latest-releases-via-pip) 2.0.2 +* [Ansible](http://docs.ansible.com/ansible/intro_installation.html#latest-releases-via-pip) >= 2.0.2 (except 2.1.0) * [Virtualbox](https://www.virtualbox.org/wiki/Downloads) >= 4.3.10 * [Vagrant](https://www.vagrantup.com/downloads.html) >= 1.8.5 * [vagrant-bindfs](https://github.com/gael-ian/vagrant-bindfs#installation) >= 0.3.1 (Windows users may skip this) @@ -72,7 +72,7 @@ Trellis documentation is available at [https://roots.io/trellis/docs/](https://r ## Remote server setup (staging/production) -A base Ubuntu 16.04 server is required for setting up remote servers. +A base Ubuntu 16.04 server is required for setting up remote servers. OS X users must have [passlib](http://pythonhosted.org/passlib/install.html#installation-instructions) installed. 1. Configure your WordPress sites in `group_vars//wordpress_sites.yml` and in `group_vars//vault.yml` (see the [Vault docs](https://roots.io/trellis/docs/vault/) for how to encrypt files containing passwords) 2. Add your server IP/hostnames to `hosts/` diff --git a/lib/trellis/plugins/vars/vars.py b/lib/trellis/plugins/vars/vars.py index f3f42b5263..893344c026 100644 --- a/lib/trellis/plugins/vars/vars.py +++ b/lib/trellis/plugins/vars/vars.py @@ -17,12 +17,6 @@ from ansible.parsing.yaml.objects import AnsibleMapping, AnsibleSequence, AnsibleUnicode from ansible.template import Templar -try: - import passlib.hash -except: - if sys.platform.startswith('darwin'): - raise AnsibleError('Ansible on OS X requires the python passlib module to create user password hashes.\nsudo easy_install pip\npip install passlib') - class VarsModule(object): ''' Creates and modifies host variables ''' @@ -82,9 +76,20 @@ def cli_options(self): return ' '.join(options) + def darwin_without_passlib(self): + if not sys.platform.startswith('darwin'): + return False + + try: + import passlib.hash + return False + except: + return True + def get_host_vars(self, host, vault_password=None): self.raw_vars(host, host.get_group_vars()) host.vars['cli_options'] = self.cli_options() host.vars['cli_ask_pass'] = getattr(self._options, 'ask_pass', False) host.vars['cli_ask_become_pass'] = getattr(self._options, 'become_ask_pass', False) + host.vars['darwin_without_passlib'] = self.darwin_without_passlib() return {} diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 99bd894468..7fc68eb2e5 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -34,6 +34,16 @@ when: ansible_distribution_release == 'trusty' run_once: true +- name: Check whether passlib is needed + fail: + msg: | + Ansible on OS X requires python passlib module to create user password hashes + + sudo easy_install pip + pip install passlib + when: env != 'development' and darwin_without_passlib | default(false) + run_once: true + - name: Update Apt apt: update_cache: yes From 0d062c90f8bded93e55c93019db9230ee8750a78 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Tue, 30 Aug 2016 11:54:59 -0600 Subject: [PATCH 051/292] Update badges [ci skip] --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 4289152bd9..5b572c417a 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Trellis - -[![Build Status](https://travis-ci.org/roots/trellis.svg)](https://travis-ci.org/roots/trellis) +[![Release](https://img.shields.io/github/release/roots/trellis.svg?style=flat-square)](https://github.com/roots/trellis/releases) +[![Build Status](https://img.shields.io/travis/roots/trellis.svg?style=flat-square)](https://travis-ci.org/roots/trellis) Ansible playbooks for setting up a LEMP stack for WordPress. From c178ab943c40bb6f604c7245d17b5a75f6ccda1d Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 30 Aug 2016 21:19:26 -0400 Subject: [PATCH 052/292] Update CHANGELOG --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index a42dce516a..580f3bc067 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,6 @@ ### HEAD +* Create WordPress php-fpm conf after web_root exists ([#642](https://github.com/roots/trellis/pull/642)) +* Fix #637 - Fix condition for permalink structure task ([#643](https://github.com/roots/trellis/pull/643)) * Fix #639 - WP 4.6 compatibility: update WP-CLI to 0.24.1 ([#640](https://github.com/roots/trellis/pull/640)) ### 0.9.8: August 14th, 2016 From 4fa64a386ec0b4b79d8f7d9c0193a99dfc09a2e0 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 30 Aug 2016 23:33:46 -0400 Subject: [PATCH 053/292] WP 4.6 Compat: set WP_HOME/SITEURL directly https://github.com/WordPress/WordPress/commit/905f4ec0f835dc9eb0a34f37c297bd6a02d519ba changed email address handling with PHPMailer. It's not validating email addresses. This was failing since Trellis was using string interpolation with the `HTTP_HOST` constant. It wasn't being evaluated in that context. The solution is to set these values directly with the first canonical site host eliminating the need for the magic constant and string interpolation. --- Vagrantfile | 4 ++++ group_vars/all/helpers.yml | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/Vagrantfile b/Vagrantfile index 611735a426..1c74ddb4b1 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -100,6 +100,10 @@ Vagrant.configure('2') do |config| 'development' => ['default'] } + if tags = ENV['ANSIBLE_TAGS'] + ansible.tags = tags + end + ansible.extra_vars = {'vagrant_version' => Vagrant::VERSION} if vars = ENV['ANSIBLE_VARS'] extra_vars = Hash[vars.split(',').map { |pair| pair.split('=') }] diff --git a/group_vars/all/helpers.yml b/group_vars/all/helpers.yml index a340a49fc2..22650ad78c 100644 --- a/group_vars/all/helpers.yml +++ b/group_vars/all/helpers.yml @@ -4,8 +4,8 @@ wordpress_env_defaults: db_user: "{{ item.key | underscore }}" disable_wp_cron: true wp_env: "{{ env }}" - wp_home: "{{ item.value.ssl.enabled | default(false) | ternary('https', 'http') }}://${HTTP_HOST}" - wp_siteurl: "${WP_HOME}/wp" + wp_home: "{{ item.value.ssl.enabled | default(false) | ternary('https', 'http') }}://{{ site_hosts_canonical | first }}" + wp_siteurl: "{{ item.value.ssl.enabled | default(false) | ternary('https', 'http') }}://{{ site_hosts_canonical | first }}/wp" site_env: "{{ wordpress_env_defaults | combine(item.value.env | default({}), vault_wordpress_sites[item.key].env) }}" site_hosts_canonical: "{{ item.value.site_hosts | map(attribute='canonical') | list }}" From d3d37a33382ee9dac7e2c8260d049903de8f8e96 Mon Sep 17 00:00:00 2001 From: Michael Silber Date: Thu, 1 Sep 2016 14:27:32 -0400 Subject: [PATCH 054/292] Specify service path for nginx reload --- roles/letsencrypt/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/letsencrypt/tasks/main.yml b/roles/letsencrypt/tasks/main.yml index 7f2902ea25..7bd9a6ee2a 100644 --- a/roles/letsencrypt/tasks/main.yml +++ b/roles/letsencrypt/tasks/main.yml @@ -7,7 +7,7 @@ cron_file: letsencrypt-certificate-renewal name: letsencrypt certificate renewal user: root - job: cd {{ acme_tiny_data_directory }} && ./renew-certs.py && service nginx reload + job: cd {{ acme_tiny_data_directory }} && ./renew-certs.py && /usr/sbin/service nginx reload day: "{{ letsencrypt_cronjob_daysofmonth }}" hour: 4 minute: 30 From 58712e927e4beaf0ff408145da72fd5c1be65b89 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Thu, 1 Sep 2016 22:07:45 -0400 Subject: [PATCH 055/292] Update CHANGELOG --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 580f3bc067..163d818847 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* WP 4.6 Compat: set WP_HOME/SITEURL directly ([#647](https://github.com/roots/trellis/pull/647)) * Create WordPress php-fpm conf after web_root exists ([#642](https://github.com/roots/trellis/pull/642)) * Fix #637 - Fix condition for permalink structure task ([#643](https://github.com/roots/trellis/pull/643)) * Fix #639 - WP 4.6 compatibility: update WP-CLI to 0.24.1 ([#640](https://github.com/roots/trellis/pull/640)) From 49ae2bdb213d13ed7dfdaa021797f6e155c77171 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Thu, 1 Sep 2016 21:01:22 -0600 Subject: [PATCH 056/292] WP 4.6 Compat in deploy.yml: set WP_HOME/SITEURL directly To accompany roots/trellis#647 --- deploy.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy.yml b/deploy.yml index 70e24a4805..e8b3d4716f 100644 --- a/deploy.yml +++ b/deploy.yml @@ -19,8 +19,8 @@ db_user: "{{ site | underscore }}" disable_wp_cron: true wp_env: "{{ env }}" - wp_home: "{{ project.ssl.enabled | default(false) | ternary('https', 'http') }}://${HTTP_HOST}" - wp_siteurl: "${WP_HOME}/wp" + wp_home: "{{ project.ssl.enabled | default(false) | ternary('https', 'http') }}://{{ project.site_hosts | map(attribute='canonical') | first }}" + wp_siteurl: "{{ project.ssl.enabled | default(false) | ternary('https', 'http') }}://{{ project.site_hosts | map(attribute='canonical') | first }}/wp" site_env: "{{ wordpress_env_defaults | combine(project.env | default({}), vault_wordpress_sites[site].env) }}" pre_tasks: From c667b585184dbb0b8612e3813a5d97e203a4410f Mon Sep 17 00:00:00 2001 From: Kalen Johnson Date: Tue, 30 Aug 2016 22:46:33 -0700 Subject: [PATCH 057/292] Don't run xdebug in the CLI This is especially important if running Composer via the command line in the vagrant box. Should speed up anything running via the PHP CLI. 99.9% of the time xdebug does not need to be run with the CLI. --- roles/php/tasks/main.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml index ee0a5d49ed..72b98a7113 100644 --- a/roles/php/tasks/main.yml +++ b/roles/php/tasks/main.yml @@ -36,6 +36,12 @@ dest: /etc/php/7.0/mods-available/xdebug.ini when: xdebug_install | default(false) +- name: Disable xdebug CLI + file: + path: /etc/php/7.0/cli/conf.d/20-xdebug.ini + state: absent + when: xdebug_install | default(false) + - name: Start php7.0-fpm service service: name: php7.0-fpm From c798866fb2597ef55f2559bf56e352693ed175f6 Mon Sep 17 00:00:00 2001 From: Kalen Johnson Date: Fri, 9 Sep 2016 13:19:00 -0700 Subject: [PATCH 058/292] Fix errors when compiling wheel Yay, another Windows problem. So I was having issues on a new project. pip when installing Ansible has a couple dependencies, and wheel was failing to compile. Adding these packages looks like it solves the issue. --- windows.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows.sh b/windows.sh index 68bc130747..56697ff942 100644 --- a/windows.sh +++ b/windows.sh @@ -33,7 +33,7 @@ fi if [ ! -f /usr/bin/ansible ]; then echo "Installing pip..." sudo apt-get -y update - sudo apt-get -y install python-pip + sudo apt-get -y install python-pip libssl-dev libffi-dev echo "Installing Ansible with pip..." sudo pip install ansible=='2.0.2.0' sudo pip install markupsafe From d92ddeade2ac84b45564253a9c10254ae87df60e Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Wed, 28 Sep 2016 17:07:55 -0600 Subject: [PATCH 059/292] Enable per-site setup for permalink structure Fixes #660 --- CHANGELOG.md | 1 + roles/wordpress-install/tasks/main.yml | 33 ++++++++------------------ 2 files changed, 11 insertions(+), 23 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 163d818847..fcb868317a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Enable per-site setup for permalink structure ([#661](https://github.com/roots/trellis/pull/661)) * WP 4.6 Compat: set WP_HOME/SITEURL directly ([#647](https://github.com/roots/trellis/pull/647)) * Create WordPress php-fpm conf after web_root exists ([#642](https://github.com/roots/trellis/pull/642)) * Fix #637 - Fix condition for permalink structure task ([#643](https://github.com/roots/trellis/pull/643)) diff --git a/roles/wordpress-install/tasks/main.yml b/roles/wordpress-install/tasks/main.yml index 91e89d3529..934d232416 100644 --- a/roles/wordpress-install/tasks/main.yml +++ b/roles/wordpress-install/tasks/main.yml @@ -25,43 +25,30 @@ changed_when: "'Nothing to install or update' not in composer_results.stderr" - name: Install WP - command: wp core install - --allow-root - --url="{{ site_env.wp_home }}" - --title="{{ item.value.site_title | default(item.key) }}" - --admin_user="{{ item.value.admin_user | default('admin') }}" - --admin_password="{{ vault_wordpress_sites[item.key].admin_password }}" - --admin_email="{{ item.value.admin_email }}" - args: - chdir: "{{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/" - register: wp_install_results - with_dict: "{{ wordpress_sites }}" - when: item.value.site_install | default(true) and not item.value.multisite.enabled | default(false) - changed_when: "'WordPress is already installed.' not in wp_install_results.stdout" - -- name: Install WP Multisite - command: wp core multisite-install + command: wp core {{ item.value.multisite.enabled | default(false) | ternary('multisite-install', 'install') }} --allow-root --url="{{ site_env.wp_home }}" + {% if item.value.multisite.enabled | default(false) %} --base="{{ item.value.multisite.base_path | default('/') }}" --subdomains="{{ item.value.multisite.subdomains | default('false') }}" + {% endif %} --title="{{ item.value.site_title | default(item.key) }}" --admin_user="{{ item.value.admin_user | default('admin') }}" --admin_password="{{ vault_wordpress_sites[item.key].admin_password }}" --admin_email="{{ item.value.admin_email }}" args: chdir: "{{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/" - register: wp_multisite_install_results + register: wp_install with_dict: "{{ wordpress_sites }}" - when: item.value.site_install | default(true) and item.value.multisite.enabled | default(false) - changed_when: "'The network already exists.' not in wp_multisite_install_results.stdout" + when: item.value.site_install | default(true) + changed_when: "'WordPress is already installed.' not in wp_install.stdout and 'The network already exists.' not in wp_install.stdout" - name: Setup Permalink Structure - command: wp rewrite structure {{ item.value.initial_permalink_structure | default("/%postname%/") }} --allow-root + command: wp rewrite structure {{ item.item.value.initial_permalink_structure | default("/%postname%/") }} --allow-root args: - chdir: "{{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/" - with_dict: "{{ wordpress_sites }}" - when: wp_install_results | changed or wp_multisite_install_results | changed + chdir: "{{ www_root }}/{{ item.item.key }}/{{ item.item.value.current_path | default('current') }}/" + with_items: "{{ wp_install.results }}" + when: item | changed - name: Update WP Multisite Home URL command: wp option update home {{ site_env.wp_home }} --allow-root From 3ed0ba0a0a4038e0ec23a31379511d90f31ad55b Mon Sep 17 00:00:00 2001 From: Steve Steiner Date: Fri, 30 Sep 2016 13:20:15 -0400 Subject: [PATCH 060/292] Update requirements.yml for mailhog 1.1.0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 3e48e32af0..6af02c85d3 100644 --- a/requirements.yml +++ b/requirements.yml @@ -19,4 +19,4 @@ - name: mailhog src: geerlingguy.mailhog - version: 1.0.5 + version: 1.1.0 From 5b2c867b107d58a876036e8d3e17431881247b70 Mon Sep 17 00:00:00 2001 From: Stephen Murphy Date: Mon, 3 Oct 2016 16:30:07 +0100 Subject: [PATCH 061/292] fix for VM versioning issue. --- Vagrantfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Vagrantfile b/Vagrantfile index 1c74ddb4b1..ff7bbfc861 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -38,6 +38,7 @@ Vagrant.require_version '>= 1.8.5' Vagrant.configure('2') do |config| config.vm.box = 'bento/ubuntu-16.04' + config.vm.box_version = '2.2.9' config.ssh.forward_agent = true config.vm.post_up_message = post_up_message From 5646bba8a10b73d5b2cff47903c923f84c29a7d3 Mon Sep 17 00:00:00 2001 From: Ola Persson Date: Mon, 10 Oct 2016 12:16:45 +0900 Subject: [PATCH 062/292] add $http_origin to fastcgi_cache_key Wordpress API adds the origin to CORS headers, if requesting from two different applications while the cache is hot delivers the wrong headers unless http_origin is added to the cache key. --- roles/nginx/templates/nginx.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2 index 474c916497..ebddab3c3c 100644 --- a/roles/nginx/templates/nginx.conf.j2 +++ b/roles/nginx/templates/nginx.conf.j2 @@ -41,7 +41,7 @@ http { fastcgi_cache_path {{ nginx_cache_path }} levels=1:2 keys_zone=wordpress:{{ nginx_cache_key_storage_size }} max_size={{ nginx_cache_size }} inactive={{ nginx_cache_inactive }}; fastcgi_cache_use_stale updating error timeout invalid_header http_500; fastcgi_cache_lock on; - fastcgi_cache_key $realpath_root$scheme$host$request_uri$request_method; + fastcgi_cache_key $realpath_root$scheme$host$request_uri$request_method$http_origin; fastcgi_ignore_headers Cache-Control Expires Set-Cookie; fastcgi_pass_header Set-Cookie; fastcgi_pass_header Cookie; From b7b9df3cfb5d452f176c3995b849cd2f4903639e Mon Sep 17 00:00:00 2001 From: Ben Word Date: Thu, 27 Oct 2016 18:36:53 -0600 Subject: [PATCH 063/292] Update to WP-CLI 0.25.0 for WP 4.7 compat --- CHANGELOG.md | 1 + roles/wp-cli/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fcb868317a..1a1bc5a4c5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Update to WP-CLI 0.25.0 for WP 4.7 compat ([#673](https://github.com/roots/trellis/pull/673)) * Enable per-site setup for permalink structure ([#661](https://github.com/roots/trellis/pull/661)) * WP 4.6 Compat: set WP_HOME/SITEURL directly ([#647](https://github.com/roots/trellis/pull/647)) * Create WordPress php-fpm conf after web_root exists ([#642](https://github.com/roots/trellis/pull/642)) diff --git a/roles/wp-cli/defaults/main.yml b/roles/wp-cli/defaults/main.yml index 71a1e5ee02..84fa502973 100644 --- a/roles/wp-cli/defaults/main.yml +++ b/roles/wp-cli/defaults/main.yml @@ -1,4 +1,4 @@ -wp_cli_version: 0.24.1 +wp_cli_version: 0.25.0 wp_cli_bin_path: /usr/bin/wp wp_cli_phar_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar" wp_cli_completion_url: "https://raw.githubusercontent.com/wp-cli/wp-cli/v{{ wp_cli_version }}/utils/wp-completion.bash" From cbee5e6a2c1364dcc4da853d41a64f0779722cf7 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sat, 5 Nov 2016 00:13:34 -0600 Subject: [PATCH 064/292] Update galaxy roles: composer, logrotate, daemonize --- requirements.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/requirements.yml b/requirements.yml index 6af02c85d3..40b407cb5a 100644 --- a/requirements.yml +++ b/requirements.yml @@ -1,6 +1,6 @@ - name: composer src: geerlingguy.composer - version: 1.2.7 + version: 1.5.0 - name: ntp src: resmo.ntp @@ -8,14 +8,14 @@ - name: logrotate src: nickhammond.logrotate - version: fc3ea4 + version: e7a498d - name: swapfile src: kamaln7.swapfile version: 0.4 - src: geerlingguy.daemonize - version: 1.1.0 + version: 1.1.1 - name: mailhog src: geerlingguy.mailhog From ae5e2e1a070a16753a255beb3ba8cc1181dfce2a Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sat, 5 Nov 2016 00:17:56 -0600 Subject: [PATCH 065/292] Update MailHog galaxy role --- dev.yml | 1 - group_vars/development/mail.yml | 8 +------- requirements.yml | 2 +- 3 files changed, 2 insertions(+), 9 deletions(-) diff --git a/dev.yml b/dev.yml index 0eaaacc6fa..dfdd87e7c5 100644 --- a/dev.yml +++ b/dev.yml @@ -11,7 +11,6 @@ - { role: ntp } - { role: sshd, tags: [sshd] } - { role: mariadb, tags: [mariadb] } - - { role: ssmtp, tags: [ssmtp, mail] } - { role: mailhog, tags: [mailhog, mail] } - { role: php, tags: [php] } - { role: memcached, tags: [memcached] } diff --git a/group_vars/development/mail.yml b/group_vars/development/mail.yml index d97c07e289..f6d4f663d5 100644 --- a/group_vars/development/mail.yml +++ b/group_vars/development/mail.yml @@ -1,8 +1,2 @@ # Documentation: https://roots.io/trellis/docs/mail/ -mailhog_install_ssmtp: no -mail_admin: admin@example.dev -mail_hostname: example.dev -mail_smtp_server: localhost:1025 -ssmtp_auth_method: "" -ssmtp_start_tls: 'no' -ssmtp_tls: 'no' +php_sendmail_path: "{{ mailhog_install_dir }}/mhsendmail" diff --git a/requirements.yml b/requirements.yml index 40b407cb5a..4090e571ac 100644 --- a/requirements.yml +++ b/requirements.yml @@ -19,4 +19,4 @@ - name: mailhog src: geerlingguy.mailhog - version: 1.1.0 + version: 2.1.0 From 17390112bff5e642c3c750e7452456bfa318dfa1 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sat, 5 Nov 2016 00:34:55 -0600 Subject: [PATCH 066/292] Replace resmo.ntp galaxy role with geerlingguy.ntp --- CHANGELOG.md | 1 + dev.yml | 2 +- group_vars/all/main.yml | 3 ++- requirements.yml | 4 ++-- roles/common/defaults/main.yml | 2 +- roles/common/tasks/main.yml | 13 ++----------- roles/php/defaults/main.yml | 2 +- roles/php/templates/php.ini.j2 | 2 +- 8 files changed, 11 insertions(+), 18 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1a1bc5a4c5..5d6b54d684 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Update galaxy roles for Ansible 2.2 compatibility ([#681](https://github.com/roots/trellis/pull/681)) * Update to WP-CLI 0.25.0 for WP 4.7 compat ([#673](https://github.com/roots/trellis/pull/673)) * Enable per-site setup for permalink structure ([#661](https://github.com/roots/trellis/pull/661)) * WP 4.6 Compat: set WP_HOME/SITEURL directly ([#647](https://github.com/roots/trellis/pull/647)) diff --git a/dev.yml b/dev.yml index dfdd87e7c5..a721acfcc1 100644 --- a/dev.yml +++ b/dev.yml @@ -8,7 +8,7 @@ - { role: common, tags: [common] } - { role: fail2ban, tags: [fail2ban] } - { role: ferm, tags: [ferm] } - - { role: ntp } + - { role: ntp, tags: [ntp] } - { role: sshd, tags: [sshd] } - { role: mariadb, tags: [mariadb] } - { role: mailhog, tags: [mailhog, mail] } diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index daa4cecea3..656aa8ab7e 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -2,7 +2,8 @@ composer_keep_updated: true composer_global_packages: - { name: hirak/prestissimo } apt_cache_valid_time: 86400 -default_timezone: Etc/UTC +ntp_timezone: Etc/UTC +ntp_manage_config: true www_root: /srv/www ip_whitelist: - "{{ lookup('pipe', 'curl -4 -s https://api.ipify.org') }}" diff --git a/requirements.yml b/requirements.yml index 4090e571ac..15c9e891ba 100644 --- a/requirements.yml +++ b/requirements.yml @@ -3,8 +3,8 @@ version: 1.5.0 - name: ntp - src: resmo.ntp - version: 0.3.0 + src: geerlingguy.ntp + version: 1.3.0 - name: logrotate src: nickhammond.logrotate diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index 95ddcbec74..f60073c0eb 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -4,4 +4,4 @@ ansible_requirements: - version: 2.1.0.0 operator: '!=' -default_timezone: Etc/UTC +ntp_timezone: Etc/UTC diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 7fc68eb2e5..6d11d66b15 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -63,20 +63,11 @@ - name: Validate timezone variable stat: - path: /usr/share/zoneinfo/{{ default_timezone }} + path: /usr/share/zoneinfo/{{ ntp_timezone }} register: timezone_path changed_when: false - name: Explain timezone error fail: - msg: "{{ default_timezone }} is not a valid timezone. For a list of valid timezones, check https://php.net/manual/en/timezones.php" + msg: "{{ ntp_timezone }} is not a valid timezone. For a list of valid timezones, check https://php.net/manual/en/timezones.php" when: not timezone_path.stat.exists - -- name: Get current timezone - command: cat /etc/timezone - register: current_timezone - changed_when: false - -- name: Set timezone - command: timedatectl set-timezone {{ default_timezone }} - when: current_timezone.stdout != default_timezone diff --git a/roles/php/defaults/main.yml b/roles/php/defaults/main.yml index ab632736e6..8575f4f4d9 100644 --- a/roles/php/defaults/main.yml +++ b/roles/php/defaults/main.yml @@ -14,7 +14,7 @@ php_sendmail_path: /usr/sbin/ssmtp -t php_session_save_path: /tmp php_upload_max_filesize: 25M php_track_errors: 'Off' -php_default_timezone: '{{ default_timezone }}' +php_timezone: '{{ ntp_timezone }}' php_opcache_enable: 1 php_opcache_enable_cli: 1 diff --git a/roles/php/templates/php.ini.j2 b/roles/php/templates/php.ini.j2 index 0fcfe9da08..8c2b5ae0ae 100644 --- a/roles/php/templates/php.ini.j2 +++ b/roles/php/templates/php.ini.j2 @@ -14,7 +14,7 @@ session.save_path = {{ php_session_save_path }} track_errors = {{ php_track_errors }} upload_max_filesize = {{ php_upload_max_filesize }} expose_php = Off -date.timezone = {{ php_default_timezone }} +date.timezone = {{ php_timezone }} [mysqlnd] mysqlnd.collect_memory_statistics = {{ php_mysqlnd_collect_memory_statistics }} From eaa3cded4bffd046a093b3117c7945c37ab92c6b Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sat, 5 Nov 2016 15:19:38 -0600 Subject: [PATCH 067/292] Ensure there is always at least one PHP-FPM pool defined --- CHANGELOG.md | 1 + roles/php/tasks/main.yml | 7 ------- roles/wordpress-setup/tasks/main.yml | 7 +++++++ 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5d6b54d684..db9bc0da87 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Ensure there is always at least one PHP-FPM pool defined ([#682](https://github.com/roots/trellis/pull/682)) * Update galaxy roles for Ansible 2.2 compatibility ([#681](https://github.com/roots/trellis/pull/681)) * Update to WP-CLI 0.25.0 for WP 4.7 compat ([#673](https://github.com/roots/trellis/pull/673)) * Enable per-site setup for permalink structure ([#661](https://github.com/roots/trellis/pull/661)) diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml index 72b98a7113..55b27400d2 100644 --- a/roles/php/tasks/main.yml +++ b/roles/php/tasks/main.yml @@ -53,13 +53,6 @@ path: /var/run/php7.0-fpm/ state: directory -- name: Disable default pool - command: mv /etc/php/7.0/fpm/pool.d/www.conf /etc/php/7.0/fpm/pool.d/www.disabled - args: - creates: /etc/php/7.0/fpm/pool.d/www.disabled - when: disable_default_pool - notify: reload php-fpm - - name: PHP configuration file template: src: php.ini.j2 diff --git a/roles/wordpress-setup/tasks/main.yml b/roles/wordpress-setup/tasks/main.yml index 3eead39622..606a3b3d74 100644 --- a/roles/wordpress-setup/tasks/main.yml +++ b/roles/wordpress-setup/tasks/main.yml @@ -28,6 +28,13 @@ dest: /etc/php/7.0/fpm/pool.d/wordpress.conf notify: reload php-fpm +- name: Disable default PHP-FPM pool + command: mv /etc/php/7.0/fpm/pool.d/www.conf /etc/php/7.0/fpm/pool.d/www.disabled + args: + creates: /etc/php/7.0/fpm/pool.d/www.disabled + when: disable_default_pool | default(true) + notify: reload php-fpm + - include: nginx.yml tags: wordpress-setup-nginx From c5c680e11bcd3cf1e1e1a28a552bceabf696d42a Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Mon, 7 Nov 2016 02:33:20 -0700 Subject: [PATCH 068/292] Use to_text to prevent to_unicode deprecation warning --- lib/trellis/utils/output.py | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/lib/trellis/utils/output.py b/lib/trellis/utils/output.py index 7de83d0b49..8349952aff 100644 --- a/lib/trellis/utils/output.py +++ b/lib/trellis/utils/output.py @@ -8,7 +8,12 @@ import textwrap from ansible import __version__ -from ansible.utils.unicode import to_unicode + +# to_unicode will no longer be needed once Trellis requires Ansible >= 2.2 +try: + from ansible.module_utils._text import to_text +except ImportError: + from ansible.utils.unicode import to_unicode as to_text def system(vagrant_version=None): # Get most recent Trellis CHANGELOG entry @@ -69,7 +74,7 @@ def display(obj, result): # Display additional info when failed if failed: - items = (item for item in ['reason', 'module_stderr', 'module_stdout', 'stderr'] if item in result and to_unicode(result[item]) != '') + items = (item for item in ['reason', 'module_stderr', 'module_stdout', 'stderr'] if item in result and to_text(result[item]) != '') for item in items: msg = result[item] if msg == '' else '\n'.join([msg, result.pop(item, '')]) @@ -78,9 +83,9 @@ def display(obj, result): # Must pass unicode strings to Display.display() to prevent UnicodeError tracebacks if isinstance(msg, list): - msg = '\n'.join([to_unicode(x) for x in msg]) + msg = '\n'.join([to_text(x) for x in msg]) elif not isinstance(msg, unicode): - msg = to_unicode(msg) + msg = to_text(msg) # Wrap text msg = '\n'.join([textwrap.fill(line, wrap_width, replace_whitespace=False) From 83bc559337a89da843a34a8767b0ac03703e9191 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sun, 6 Nov 2016 22:05:03 -0700 Subject: [PATCH 069/292] Make raw_vars compatible with play vars and Ansible 2.1 --- CHANGELOG.md | 1 + lib/trellis/plugins/callback/output.py | 14 ++++-- .../plugins/{vars => callback}/vars.py | 48 +++++++++---------- 3 files changed, 34 insertions(+), 29 deletions(-) rename lib/trellis/plugins/{vars => callback}/vars.py (61%) diff --git a/CHANGELOG.md b/CHANGELOG.md index db9bc0da87..2309a3e75e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Make `raw_vars` compatible with play vars and Ansible 2.1 ([#684](https://github.com/roots/trellis/pull/684)) * Ensure there is always at least one PHP-FPM pool defined ([#682](https://github.com/roots/trellis/pull/682)) * Update galaxy roles for Ansible 2.2 compatibility ([#681](https://github.com/roots/trellis/pull/681)) * Update to WP-CLI 0.25.0 for WP 4.7 compat ([#673](https://github.com/roots/trellis/pull/673)) diff --git a/lib/trellis/plugins/callback/output.py b/lib/trellis/plugins/callback/output.py index 4bad319b2e..6c86df64c4 100644 --- a/lib/trellis/plugins/callback/output.py +++ b/lib/trellis/plugins/callback/output.py @@ -5,7 +5,12 @@ import os.path import sys -from ansible.parsing.dataloader import DataLoader +from ansible import __version__ +from ansible.errors import AnsibleError + +if __version__.startswith('1'): + raise AnsibleError('Trellis no longer supports Ansible 1.x. Please upgrade to Ansible 2.x.') + from ansible.plugins.callback.default import CallbackModule as CallbackModule_default try: @@ -59,10 +64,9 @@ def v2_playbook_on_play_start(self, play): super(CallbackModule, self).v2_playbook_on_play_start(play) # Check for relevant settings or overrides passed via cli --extra-vars - loader = DataLoader() - play_vars = play.get_variable_manager().get_vars(loader=loader, play=play) - if 'vagrant_version' in play_vars: - self.vagrant_version = play_vars['vagrant_version'] + extra_vars = play.get_variable_manager().extra_vars + if 'vagrant_version' in extra_vars: + self.vagrant_version = extra_vars['vagrant_version'] def v2_runner_item_on_ok(self, result): output.display_item(self, result) diff --git a/lib/trellis/plugins/vars/vars.py b/lib/trellis/plugins/callback/vars.py similarity index 61% rename from lib/trellis/plugins/vars/vars.py rename to lib/trellis/plugins/callback/vars.py index 893344c026..c9dadfbd01 100644 --- a/lib/trellis/plugins/vars/vars.py +++ b/lib/trellis/plugins/callback/vars.py @@ -4,44 +4,40 @@ import re import sys -from ansible import __version__ -from ansible.errors import AnsibleError - -if __version__.startswith('1'): - raise AnsibleError('Trellis no longer supports Ansible 1.x. Please upgrade to Ansible 2.x.') - -# These imports will produce Traceback in Ansible 1.x, so place after version check from __main__ import cli from ansible.compat.six import iteritems +from ansible.errors import AnsibleError from ansible.parsing.dataloader import DataLoader from ansible.parsing.yaml.objects import AnsibleMapping, AnsibleSequence, AnsibleUnicode +from ansible.plugins.callback import CallbackBase from ansible.template import Templar -class VarsModule(object): - ''' Creates and modifies host variables ''' +class CallbackModule(CallbackBase): + ''' Creates and modifies play and host variables ''' + + CALLBACK_VERSION = 2.0 + CALLBACK_NAME = 'vars' - def __init__(self, inventory): - self.inventory = inventory - self.inventory_basedir = inventory.basedir() + def __init__(self): self.loader = DataLoader() self._options = cli.options if cli else None def raw_triage(self, key_string, item, patterns): # process dict values if isinstance(item, AnsibleMapping): - return dict((key,self.raw_triage('.'.join([key_string, key]), value, patterns)) for key,value in item.iteritems()) + return AnsibleMapping(dict((key,self.raw_triage('.'.join([key_string, key]), value, patterns)) for key,value in item.iteritems())) # process list values elif isinstance(item, AnsibleSequence): - return [self.raw_triage('.'.join([key_string, str(i)]), value, patterns) for i,value in enumerate(item)] + return AnsibleSequence([self.raw_triage('.'.join([key_string, str(i)]), value, patterns) for i,value in enumerate(item)]) # wrap values if they match raw_vars pattern elif isinstance(item, AnsibleUnicode): match = next((pattern for pattern in patterns if re.match(pattern, key_string)), None) - return ''.join(['{% raw %}', item, '{% endraw %}']) if not item.startswith(('{% raw', '{%raw')) and match else item + return AnsibleUnicode(''.join(['{% raw %}', item, '{% endraw %}'])) if not item.startswith(('{% raw', '{%raw')) and match else item - def raw_vars(self, host, hostvars): + def raw_vars(self, play, host, hostvars): if 'raw_vars' not in hostvars: return @@ -52,7 +48,10 @@ def raw_vars(self, host, hostvars): patterns = [re.sub(r'\*', '(.)*', re.sub(r'\.', '\.', var)) for var in raw_vars if var.split('.')[0] in hostvars] keys = set(pattern.split('\.')[0] for pattern in patterns) for key in keys: - host.vars[key] = self.raw_triage(key, hostvars[key], patterns) + if key in play.vars: + play.vars[key] = self.raw_triage(key, play.vars[key], patterns) + elif key in hostvars: + host.vars[key] = self.raw_triage(key, hostvars[key], patterns) def cli_options(self): options = [] @@ -86,10 +85,11 @@ def darwin_without_passlib(self): except: return True - def get_host_vars(self, host, vault_password=None): - self.raw_vars(host, host.get_group_vars()) - host.vars['cli_options'] = self.cli_options() - host.vars['cli_ask_pass'] = getattr(self._options, 'ask_pass', False) - host.vars['cli_ask_become_pass'] = getattr(self._options, 'become_ask_pass', False) - host.vars['darwin_without_passlib'] = self.darwin_without_passlib() - return {} + def v2_playbook_on_play_start(self, play): + for host in play.get_variable_manager()._inventory.list_hosts(play.hosts[0]): + hostvars = play.get_variable_manager().get_vars(loader=self.loader, play=play, host=host) + self.raw_vars(play, host, hostvars) + host.vars['cli_options'] = self.cli_options() + host.vars['cli_ask_pass'] = getattr(self._options, 'ask_pass', False) + host.vars['cli_ask_become_pass'] = getattr(self._options, 'become_ask_pass', False) + host.vars['darwin_without_passlib'] = self.darwin_without_passlib() From f826a34bdba637fca4b003d38a6a835a2bebf7a8 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Mon, 7 Nov 2016 21:14:22 -0700 Subject: [PATCH 070/292] Disable wp-cron emails --- CHANGELOG.md | 1 + roles/wordpress-setup/tasks/main.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2309a3e75e..b5db81eacb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Disable wp-cron emails ([#685](https://github.com/roots/trellis/pull/685)) * Make `raw_vars` compatible with play vars and Ansible 2.1 ([#684](https://github.com/roots/trellis/pull/684)) * Ensure there is always at least one PHP-FPM pool defined ([#682](https://github.com/roots/trellis/pull/682)) * Update galaxy roles for Ansible 2.2 compatibility ([#681](https://github.com/roots/trellis/pull/681)) diff --git a/roles/wordpress-setup/tasks/main.yml b/roles/wordpress-setup/tasks/main.yml index 606a3b3d74..390014556f 100644 --- a/roles/wordpress-setup/tasks/main.yml +++ b/roles/wordpress-setup/tasks/main.yml @@ -43,7 +43,7 @@ name: "{{ item.key }} WordPress cron" minute: "*/15" user: "{{ web_user }}" - job: "cd {{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }} && wp cron event run --due-now" + job: "cd {{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }} && wp cron event run --due-now > /dev/null 2>&1" cron_file: "wordpress-{{ item.key | replace('.', '_') }}" with_dict: "{{ wordpress_sites }}" when: site_env.disable_wp_cron and not item.value.multisite.enabled | default(false) From 571c3f3906047f80278e34b3f63c6f8eb9b3ea46 Mon Sep 17 00:00:00 2001 From: Nathaniel Schweinberg Date: Mon, 7 Nov 2016 09:40:51 -0800 Subject: [PATCH 071/292] Move Xdebug setup to new role and create xdebug-tunnel role --- dev.yml | 1 + group_vars/development/php.yml | 9 ++--- roles/php/defaults/main.yml | 8 ----- roles/php/tasks/main.yml | 18 ---------- roles/php/templates/xdebug.ini.j2 | 12 ------- roles/xdebug-tunnel/defaults/main.yml | 11 +++++++ roles/xdebug-tunnel/tasks/close.yml | 10 ++++++ roles/xdebug-tunnel/tasks/main.yml | 16 +++++++++ roles/xdebug-tunnel/tasks/open.yml | 10 ++++++ roles/xdebug/defaults/main.yml | 43 ++++++++++++++++++++++++ roles/xdebug/tasks/disable.yml | 7 ++++ roles/xdebug/tasks/enable.yml | 18 ++++++++++ roles/xdebug/tasks/main.yml | 11 +++++++ roles/xdebug/templates/xdebug.ini.j2 | 47 +++++++++++++++++++++++++++ xdebug-tunnel.sh | 24 ++++++++++++++ xdebug-tunnel.yml | 18 ++++++++++ 16 files changed, 218 insertions(+), 45 deletions(-) delete mode 100644 roles/php/templates/xdebug.ini.j2 create mode 100644 roles/xdebug-tunnel/defaults/main.yml create mode 100644 roles/xdebug-tunnel/tasks/close.yml create mode 100644 roles/xdebug-tunnel/tasks/main.yml create mode 100644 roles/xdebug-tunnel/tasks/open.yml create mode 100644 roles/xdebug/defaults/main.yml create mode 100644 roles/xdebug/tasks/disable.yml create mode 100644 roles/xdebug/tasks/enable.yml create mode 100644 roles/xdebug/tasks/main.yml create mode 100644 roles/xdebug/templates/xdebug.ini.j2 create mode 100644 xdebug-tunnel.sh create mode 100644 xdebug-tunnel.yml diff --git a/dev.yml b/dev.yml index a721acfcc1..1df5a083c0 100644 --- a/dev.yml +++ b/dev.yml @@ -13,6 +13,7 @@ - { role: mariadb, tags: [mariadb] } - { role: mailhog, tags: [mailhog, mail] } - { role: php, tags: [php] } + - { role: xdebug, tags: [php, xdebug] } - { role: memcached, tags: [memcached] } - { role: nginx, tags: [nginx] } - { role: logrotate, tags: [logrotate] } diff --git a/group_vars/development/php.yml b/group_vars/development/php.yml index a7d5fbb24d..fcd82f34d5 100644 --- a/group_vars/development/php.yml +++ b/group_vars/development/php.yml @@ -6,10 +6,5 @@ php_mysqlnd_collect_memory_statistics: 'On' php_opcache_enable: 0 xdebug_install: true -php_xdebug_remote_enable: true -php_xdebug_remote_connect_back: true -php_xdebug_remote_host: localhost -php_xdebug_remote_port: 9000 -php_xdebug_remote_log: /tmp/xdebug.log -php_xdebug_idekey: XDEBUG -php_max_nesting_level: 200 +xdebug_remote_enable: 1 +xdebug_remote_connect_back: 1 diff --git a/roles/php/defaults/main.yml b/roles/php/defaults/main.yml index 8575f4f4d9..f47ca9b544 100644 --- a/roles/php/defaults/main.yml +++ b/roles/php/defaults/main.yml @@ -23,11 +23,3 @@ php_opcache_interned_strings_buffer: 8 php_opcache_max_accelerated_files: 4000 php_opcache_memory_consumption: 128 php_opcache_revalidate_freq: 60 - -php_xdebug_remote_enable: "false" -php_xdebug_remote_connect_back: "false" -php_xdebug_remote_host: localhost -php_xdebug_remote_port: "9000" -php_xdebug_remote_log: /tmp/xdebug.log -php_xdebug_idekey: XDEBUG -php_max_nesting_level: 200 diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml index 55b27400d2..45f7f0ca05 100644 --- a/roles/php/tasks/main.yml +++ b/roles/php/tasks/main.yml @@ -24,24 +24,6 @@ - php7.0-xmlrpc - php7.0-zip -- name: Install Xdebug - apt: - name: php-xdebug - state: latest - when: xdebug_install | default(false) - -- name: xdebug configuration file - template: - src: xdebug.ini.j2 - dest: /etc/php/7.0/mods-available/xdebug.ini - when: xdebug_install | default(false) - -- name: Disable xdebug CLI - file: - path: /etc/php/7.0/cli/conf.d/20-xdebug.ini - state: absent - when: xdebug_install | default(false) - - name: Start php7.0-fpm service service: name: php7.0-fpm diff --git a/roles/php/templates/xdebug.ini.j2 b/roles/php/templates/xdebug.ini.j2 deleted file mode 100644 index 8e8953bc7f..0000000000 --- a/roles/php/templates/xdebug.ini.j2 +++ /dev/null @@ -1,12 +0,0 @@ -; {{ ansible_managed }} - -[XDebug] -zend_extension="xdebug.so" -xdebug.remote_enable={{ php_xdebug_remote_enable }} -xdebug.remote_connect_back={{ php_xdebug_remote_connect_back }} -xdebug.remote_host={{ php_xdebug_remote_host }} -xdebug.remote_port={{ php_xdebug_remote_port }} -xdebug.remote_handler="dbgp" -xdebug.remote_log={{ php_xdebug_remote_log }} -xdebug.idekey="{{ php_xdebug_idekey }}" -xdebug.max_nesting_level = {{ php_max_nesting_level }} diff --git a/roles/xdebug-tunnel/defaults/main.yml b/roles/xdebug-tunnel/defaults/main.yml new file mode 100644 index 0000000000..6b49635182 --- /dev/null +++ b/roles/xdebug-tunnel/defaults/main.yml @@ -0,0 +1,11 @@ +xdebug_tunnel_close: false +xdebug_tunnel_remote_port: 9000 +xdebug_tunnel_host: localhost +xdebug_tunnel_local_port: 9000 +xdebug_tunnel_control_socket: "/tmp/trellis-xdebug-{{ xdebug_tunnel_inventory_host }}" +xdebug_tunnel_control_identity: "{{ ansible_user_id }}" + +xdebug_tunnel_port_mapping: "{{ xdebug_tunnel_remote_port }}:{{ xdebug_tunnel_host }}:{{ xdebug_tunnel_local_port }}" +xdebug_tunnel_ssh_user: "{{ hostvars[xdebug_tunnel_inventory_host]['ansible_user'] | default(admin_user) }}" +xdebug_tunnel_ssh_host: "{{ hostvars[xdebug_tunnel_inventory_host]['ansible_host'] | default(xdebug_tunnel_inventory_host) }}" +xdebug_tunnel_user_at_host: "{{ xdebug_tunnel_ssh_user }}@{{ xdebug_tunnel_ssh_host }}" diff --git a/roles/xdebug-tunnel/tasks/close.yml b/roles/xdebug-tunnel/tasks/close.yml new file mode 100644 index 0000000000..24798ae7af --- /dev/null +++ b/roles/xdebug-tunnel/tasks/close.yml @@ -0,0 +1,10 @@ +--- +- name: Close XDebug SSH Tunnel + command: "ssh -S '{{ xdebug_tunnel_control_socket }}' -O exit '{{ xdebug_tunnel_control_identity }}'" + when: xdebug_tunnel_close + register: xdebug_tunnel_closing + ignore_errors: true + +- name: Fail the play if tunnel was already closed + fail: msg="SSH tunnel already closed!" + when: "'No such file or directory' in xdebug_tunnel_closing.stderr | default('')" diff --git a/roles/xdebug-tunnel/tasks/main.yml b/roles/xdebug-tunnel/tasks/main.yml new file mode 100644 index 0000000000..d50397048b --- /dev/null +++ b/roles/xdebug-tunnel/tasks/main.yml @@ -0,0 +1,16 @@ +--- +- include: open.yml + when: xdebug_tunnel_close == false + +- include: close.yml + when: xdebug_tunnel_close + +- name: Announce tunnel was created + debug: + msg: "SSH Tunnel {{ xdebug_tunnel_creation.failed | default(false) | ternary('was not', 'was') }} created!" + when: xdebug_tunnel_creation is defined and xdebug_tunnel_creation.changed + +- name: Announce tunnel was closed + debug: + msg: "SSH Tunnel {{ xdebug_tunnel_closing.failed | default(false) | ternary('was not', 'was') }} closed!" + when: xdebug_tunnel_closing is defined and xdebug_tunnel_closing.changed diff --git a/roles/xdebug-tunnel/tasks/open.yml b/roles/xdebug-tunnel/tasks/open.yml new file mode 100644 index 0000000000..6cfaf4eb0b --- /dev/null +++ b/roles/xdebug-tunnel/tasks/open.yml @@ -0,0 +1,10 @@ +--- +- name: Create XDebug SSH Tunnel + command: "ssh -M -S '{{ xdebug_tunnel_control_socket }}' -fnNT -R {{ xdebug_tunnel_port_mapping }} {{ xdebug_tunnel_user_at_host}} '{{ xdebug_tunnel_control_identity }}'" + when: xdebug_tunnel_close == false + register: xdebug_tunnel_creation + ignore_errors: true + +- name: Fail the play if tunnel already exists + fail: msg="SSH tunnel already exists! Refer to TODO for help. Error:\n{{ xdebug_tunnel_creation.stderr | default('') }}" + when: "'bind: Address already in use' in xdebug_tunnel_creation.stderr | default('')" diff --git a/roles/xdebug/defaults/main.yml b/roles/xdebug/defaults/main.yml new file mode 100644 index 0000000000..5354874fb0 --- /dev/null +++ b/roles/xdebug/defaults/main.yml @@ -0,0 +1,43 @@ +xdebug_install: false + +# XDebug Remote Debugging +xdebug_remote_enable: 0 +xdebug_remote_connect_back: 0 +xdebug_remote_host: localhost +xdebug_remote_port: 9000 +xdebug_remote_log: /tmp/xdebug.log +xdebug_idekey: XDEBUG +xdebug_extended_info: 1 +xdebug_max_nesting_level: 200 + +# XDebug Display Settings +xdebug_force_display_errors: 0 +xdebug_force_error_reporting: 0 +xdebug_scream: 0 +xdebug_var_display_max_children: 128 +xdebug_var_display_max_data: 512 +xdebug_var_display_max_depth: 3 + +# XDebug Function/Stack Traces +xdebug_collect_assignments: 0 +xdebug_collect_includes: 1 +xdebug_collect_params: 0 +xdebug_collect_return: 0 +xdebug_collect_vars: 0 +xdebug_show_exception_trace: 0 +xdebug_show_local_vars: 0 +xdebug_show_mem_delta: 0 +xdebug_trace_enable_trigger: 0 +xdebug_trace_enable_trigger_value: +xdebug_trace_format: 0 +xdebug_trace_options: 0 +xdebug_trace_output_dir: /tmp +xdebug_trace_output_name: trace.%c + +# XDebug Profiler +xdebug_profiler_append: 0 +xdebug_profiler_enable: 0 +xdebug_profiler_enable_trigger: 0 +xdebug_profiler_enable_trigger_value: +xdebug_profiler_output_dir: /tmp +xdebug_profiler_output_name: cachegrind.out.%p diff --git a/roles/xdebug/tasks/disable.yml b/roles/xdebug/tasks/disable.yml new file mode 100644 index 0000000000..dbae02affc --- /dev/null +++ b/roles/xdebug/tasks/disable.yml @@ -0,0 +1,7 @@ +--- +- name: Disable xdebug fpm when xdebug_install is false + file: + path: /etc/php/7.0/fpm/conf.d/20-xdebug.ini + state: absent + when: not xdebug_install + notify: reload php-fpm diff --git a/roles/xdebug/tasks/enable.yml b/roles/xdebug/tasks/enable.yml new file mode 100644 index 0000000000..45de44695a --- /dev/null +++ b/roles/xdebug/tasks/enable.yml @@ -0,0 +1,18 @@ +--- +- name: Install Xdebug + apt: + name: php-xdebug + state: latest + +- name: xdebug configuration file + template: + src: xdebug.ini.j2 + dest: /etc/php/7.0/mods-available/xdebug.ini + notify: reload php-fpm + +- name: Ensure 20-xdebug.ini present + file: + src: /etc/php/7.0/mods-available/xdebug.ini + dest: /etc/php/7.0/fpm/conf.d/20-xdebug.ini + state: link + notify: reload php-fpm diff --git a/roles/xdebug/tasks/main.yml b/roles/xdebug/tasks/main.yml new file mode 100644 index 0000000000..26c8988448 --- /dev/null +++ b/roles/xdebug/tasks/main.yml @@ -0,0 +1,11 @@ +--- +- include: enable.yml + when: xdebug_install + +- include: disable.yml + when: not xdebug_install + +- name: Disable xdebug CLI + file: + path: /etc/php/7.0/cli/conf.d/20-xdebug.ini + state: absent diff --git a/roles/xdebug/templates/xdebug.ini.j2 b/roles/xdebug/templates/xdebug.ini.j2 new file mode 100644 index 0000000000..06abd75264 --- /dev/null +++ b/roles/xdebug/templates/xdebug.ini.j2 @@ -0,0 +1,47 @@ +; {{ ansible_managed }} + +[XDebug] +zend_extension="xdebug.so" + +; Remote Debugging +xdebug.remote_enable={{ xdebug_remote_enable }} +xdebug.remote_connect_back={{ xdebug_remote_connect_back }} +xdebug.remote_host={{ xdebug_remote_host }} +xdebug.remote_port={{ xdebug_remote_port }} +xdebug.remote_handler=dbgp +xdebug.remote_log="{{ xdebug_remote_log }}" +xdebug.idekey="{{ xdebug_idekey }}" +xdebug.extended_info={{ xdebug_extended_info }} +xdebug.max_nesting_level={{ xdebug_max_nesting_level }} + +; Display Settings +xdebug.force_display_errors={{ xdebug_force_display_errors }} +xdebug.force_error_reporting={{ xdebug_force_error_reporting }} +xdebug.scream={{ xdebug_scream }} +xdebug.var_display_max_children={{ xdebug_var_display_max_children }} +xdebug.var_display_max_data={{ xdebug_var_display_max_data }} +xdebug.var_display_max_depth={{ xdebug_var_display_max_depth }} + +; Function/Stack Traces +xdebug.collect_assignments={{ xdebug_collect_assignments }} +xdebug.collect_includes={{ xdebug_collect_includes }} +xdebug.collect_params={{ xdebug_collect_params }} +xdebug.collect_return={{ xdebug_collect_return }} +xdebug.collect_vars={{ xdebug_collect_vars }} +xdebug.show_exception_trace={{ xdebug_show_exception_trace }} +xdebug.show_local_vars={{ xdebug_show_local_vars }} +xdebug.show_mem_delta={{ xdebug_show_mem_delta }} +xdebug.trace_enable_trigger={{ xdebug_trace_enable_trigger }} +xdebug.trace_enable_trigger_value={{ xdebug_trace_enable_trigger_value }} +xdebug.trace_format={{ xdebug_trace_format }} +xdebug.trace_options={{ xdebug_trace_options }} +xdebug.trace_output_dir={{ xdebug_trace_output_dir }} +xdebug.trace_output_name={{ xdebug_trace_output_name }} + +; Profiler +xdebug.profiler_append={{ xdebug_profiler_append }} +xdebug.profiler_enable={{ xdebug_profiler_enable }} +xdebug.profiler_enable_trigger={{ xdebug_profiler_enable_trigger }} +xdebug.profiler_enable_trigger_value={{ xdebug_profiler_enable_trigger_value }} +xdebug.profiler_output_dir={{ xdebug_profiler_output_dir }} +xdebug.profiler_output_name={{ xdebug_profiler_output_name }} diff --git a/xdebug-tunnel.sh b/xdebug-tunnel.sh new file mode 100644 index 0000000000..90795f9058 --- /dev/null +++ b/xdebug-tunnel.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash +# Usage: +# To open a tunnel: bin/xdebug-tunnel.sh example_com_prod +# To close a tunnel: bin/xdebug-tunnel.sh example_com_prod close + +SSH_HOST="-e xdebug_tunnel_inventory_host=${1}" +MAYBE_CLOSE="${2}" +CLOSE_CONNECTION= +DEBUG="${DEBUG:-}" +VERBOSITY="${VERBOSITY:--vvvv}" +PARAMs="${PARAMS:-}" + +if [[ "${MAYBE_CLOSE}" == 'close' ]]; then + PARAMS="${PARAMS} -e xdebug_tunnel_close=true -e xdebug_install=false" +else + PARAMS="${PARAMS} -e xdebug_install=true -e xdebug_remote_enable=1" +fi + +if [[ -n "${DEBUG}" ]]; then + PARAMS="${PARAMS} ${VERBOSITY}" +fi + +PARAMS="${SSH_HOST} ${CLOSE_CONNECTION} ${PARAMS}" +ansible-playbook xdebug-tunnel.yml ${PARAMS} diff --git a/xdebug-tunnel.yml b/xdebug-tunnel.yml new file mode 100644 index 0000000000..704ce636d8 --- /dev/null +++ b/xdebug-tunnel.yml @@ -0,0 +1,18 @@ +--- +- name: Determine Remote User + hosts: "{{ xdebug_tunnel_inventory_host }}" + gather_facts: false + roles: + - { role: remote-user, tags: [remote-user, always] } + +- name: Enable/Disable Xdebug + hosts: "{{ xdebug_tunnel_inventory_host }}" + roles: + - { role: xdebug, tags: [xdebug] } + handlers: + - include: roles/common/handlers/main.yml + +- name: Manage XDebug SSH Tunnel + hosts: localhost + roles: + - { role: xdebug-tunnel, tags: [xdebug-tunnel] } From 537a5a43bb6bb743aa855ea9d98591f1eca7b4a3 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Mon, 7 Nov 2016 10:26:27 -0800 Subject: [PATCH 072/292] Simplify xdebug and xdebug-tunnel roles, xdebug-tunnel.sh --- group_vars/development/php.yml | 1 - roles/remote-user/tasks/main.yml | 2 +- roles/xdebug-tunnel/defaults/main.yml | 3 +-- roles/xdebug-tunnel/tasks/close.yml | 10 -------- roles/xdebug-tunnel/tasks/main.yml | 35 ++++++++++++++++++--------- roles/xdebug-tunnel/tasks/open.yml | 10 -------- roles/xdebug/defaults/main.yml | 2 -- roles/xdebug/tasks/disable.yml | 7 ------ roles/xdebug/tasks/enable.yml | 18 -------------- roles/xdebug/tasks/main.yml | 32 ++++++++++++++++++++---- roles/xdebug/templates/xdebug.ini.j2 | 6 ++--- xdebug-tunnel.sh | 25 ++++++------------- xdebug-tunnel.yml | 13 +++++----- 13 files changed, 68 insertions(+), 96 deletions(-) delete mode 100644 roles/xdebug-tunnel/tasks/close.yml delete mode 100644 roles/xdebug-tunnel/tasks/open.yml delete mode 100644 roles/xdebug/tasks/disable.yml delete mode 100644 roles/xdebug/tasks/enable.yml diff --git a/group_vars/development/php.yml b/group_vars/development/php.yml index fcd82f34d5..7b9af47888 100644 --- a/group_vars/development/php.yml +++ b/group_vars/development/php.yml @@ -5,6 +5,5 @@ php_track_errors: 'On' php_mysqlnd_collect_memory_statistics: 'On' php_opcache_enable: 0 -xdebug_install: true xdebug_remote_enable: 1 xdebug_remote_connect_back: 1 diff --git a/roles/remote-user/tasks/main.yml b/roles/remote-user/tasks/main.yml index ffdd66d2e9..94432a6c66 100644 --- a/roles/remote-user/tasks/main.yml +++ b/roles/remote-user/tasks/main.yml @@ -3,7 +3,7 @@ fail: msg: | When using `--ask-pass` option, use `-u` option to define remote-user: - ansible-playbook server.yml -e env={{ env }} -u root --ask-pass + ansible-playbook server.yml -e env={{ env | default('production') }} -u root --ask-pass when: ansible_user is not defined and cli_ask_pass | default(false) - name: Check whether Ansible can connect as root diff --git a/roles/xdebug-tunnel/defaults/main.yml b/roles/xdebug-tunnel/defaults/main.yml index 6b49635182..c9a52a144a 100644 --- a/roles/xdebug-tunnel/defaults/main.yml +++ b/roles/xdebug-tunnel/defaults/main.yml @@ -1,8 +1,7 @@ -xdebug_tunnel_close: false xdebug_tunnel_remote_port: 9000 xdebug_tunnel_host: localhost xdebug_tunnel_local_port: 9000 -xdebug_tunnel_control_socket: "/tmp/trellis-xdebug-{{ xdebug_tunnel_inventory_host }}" +xdebug_tunnel_control_socket: /tmp/trellis-xdebug-{{ xdebug_tunnel_inventory_host }} xdebug_tunnel_control_identity: "{{ ansible_user_id }}" xdebug_tunnel_port_mapping: "{{ xdebug_tunnel_remote_port }}:{{ xdebug_tunnel_host }}:{{ xdebug_tunnel_local_port }}" diff --git a/roles/xdebug-tunnel/tasks/close.yml b/roles/xdebug-tunnel/tasks/close.yml deleted file mode 100644 index 24798ae7af..0000000000 --- a/roles/xdebug-tunnel/tasks/close.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -- name: Close XDebug SSH Tunnel - command: "ssh -S '{{ xdebug_tunnel_control_socket }}' -O exit '{{ xdebug_tunnel_control_identity }}'" - when: xdebug_tunnel_close - register: xdebug_tunnel_closing - ignore_errors: true - -- name: Fail the play if tunnel was already closed - fail: msg="SSH tunnel already closed!" - when: "'No such file or directory' in xdebug_tunnel_closing.stderr | default('')" diff --git a/roles/xdebug-tunnel/tasks/main.yml b/roles/xdebug-tunnel/tasks/main.yml index d50397048b..087428970d 100644 --- a/roles/xdebug-tunnel/tasks/main.yml +++ b/roles/xdebug-tunnel/tasks/main.yml @@ -1,16 +1,27 @@ --- -- include: open.yml - when: xdebug_tunnel_close == false +- name: Create or close Xdebug SSH tunnel + command: | + {% if xdebug_remote_enable | bool %} + ssh -M -S '{{ xdebug_tunnel_control_socket }}' -fnNT -R {{ xdebug_tunnel_port_mapping }} {{ xdebug_tunnel_user_at_host}} '{{ xdebug_tunnel_control_identity }}' + {% else %} + ssh -S '{{ xdebug_tunnel_control_socket }}' -O exit '{{ xdebug_tunnel_control_identity }}' + {% endif %} + connection: local + register: xdebug_tunnel + ignore_errors: true -- include: close.yml - when: xdebug_tunnel_close +- name: Interpret and present Xdebug SSH tunnel errors + fail: + msg: | + {% if 'already' in xdebug_tunnel.stderr | default('') %} + SSH tunnel already exists! Refer to TODO for help. + {% elif 'No such file or directory' in xdebug_tunnel.stderr | default('') %} + SSH tunnel already closed! + {% endif %} + {{ xdebug_tunnel.stderr | default('Unknown error in handling Xdebug SSH tunnel') }} + when: xdebug_tunnel | failed or 'already' in xdebug_tunnel.stderr | default('') -- name: Announce tunnel was created +- name: Announce Xdebug SSH tunnel status debug: - msg: "SSH Tunnel {{ xdebug_tunnel_creation.failed | default(false) | ternary('was not', 'was') }} created!" - when: xdebug_tunnel_creation is defined and xdebug_tunnel_creation.changed - -- name: Announce tunnel was closed - debug: - msg: "SSH Tunnel {{ xdebug_tunnel_closing.failed | default(false) | ternary('was not', 'was') }} closed!" - when: xdebug_tunnel_closing is defined and xdebug_tunnel_closing.changed + msg: SSH Tunnel was {{ xdebug_remote_enable | bool | ternary('created', 'closed') }}! + when: xdebug_tunnel | changed diff --git a/roles/xdebug-tunnel/tasks/open.yml b/roles/xdebug-tunnel/tasks/open.yml deleted file mode 100644 index 6cfaf4eb0b..0000000000 --- a/roles/xdebug-tunnel/tasks/open.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -- name: Create XDebug SSH Tunnel - command: "ssh -M -S '{{ xdebug_tunnel_control_socket }}' -fnNT -R {{ xdebug_tunnel_port_mapping }} {{ xdebug_tunnel_user_at_host}} '{{ xdebug_tunnel_control_identity }}'" - when: xdebug_tunnel_close == false - register: xdebug_tunnel_creation - ignore_errors: true - -- name: Fail the play if tunnel already exists - fail: msg="SSH tunnel already exists! Refer to TODO for help. Error:\n{{ xdebug_tunnel_creation.stderr | default('') }}" - when: "'bind: Address already in use' in xdebug_tunnel_creation.stderr | default('')" diff --git a/roles/xdebug/defaults/main.yml b/roles/xdebug/defaults/main.yml index 5354874fb0..334b958b8c 100644 --- a/roles/xdebug/defaults/main.yml +++ b/roles/xdebug/defaults/main.yml @@ -1,5 +1,3 @@ -xdebug_install: false - # XDebug Remote Debugging xdebug_remote_enable: 0 xdebug_remote_connect_back: 0 diff --git a/roles/xdebug/tasks/disable.yml b/roles/xdebug/tasks/disable.yml deleted file mode 100644 index dbae02affc..0000000000 --- a/roles/xdebug/tasks/disable.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- name: Disable xdebug fpm when xdebug_install is false - file: - path: /etc/php/7.0/fpm/conf.d/20-xdebug.ini - state: absent - when: not xdebug_install - notify: reload php-fpm diff --git a/roles/xdebug/tasks/enable.yml b/roles/xdebug/tasks/enable.yml deleted file mode 100644 index 45de44695a..0000000000 --- a/roles/xdebug/tasks/enable.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -- name: Install Xdebug - apt: - name: php-xdebug - state: latest - -- name: xdebug configuration file - template: - src: xdebug.ini.j2 - dest: /etc/php/7.0/mods-available/xdebug.ini - notify: reload php-fpm - -- name: Ensure 20-xdebug.ini present - file: - src: /etc/php/7.0/mods-available/xdebug.ini - dest: /etc/php/7.0/fpm/conf.d/20-xdebug.ini - state: link - notify: reload php-fpm diff --git a/roles/xdebug/tasks/main.yml b/roles/xdebug/tasks/main.yml index 26c8988448..ae88b34d50 100644 --- a/roles/xdebug/tasks/main.yml +++ b/roles/xdebug/tasks/main.yml @@ -1,11 +1,33 @@ --- -- include: enable.yml - when: xdebug_install +- block: + - name: Install Xdebug + apt: + name: php-xdebug + state: latest -- include: disable.yml - when: not xdebug_install + - name: Template the Xdebug configuration file + template: + src: xdebug.ini.j2 + dest: /etc/php/7.0/mods-available/xdebug.ini + notify: reload php-fpm -- name: Disable xdebug CLI + - name: Ensure 20-xdebug.ini is present + file: + src: /etc/php/7.0/mods-available/xdebug.ini + dest: /etc/php/7.0/fpm/conf.d/20-xdebug.ini + state: link + notify: reload php-fpm + + when: xdebug_remote_enable | bool + +- name: Disable Xdebug + file: + path: /etc/php/7.0/fpm/conf.d/20-xdebug.ini + state: absent + when: not xdebug_remote_enable | bool + notify: reload php-fpm + +- name: Disable Xdebug CLI file: path: /etc/php/7.0/cli/conf.d/20-xdebug.ini state: absent diff --git a/roles/xdebug/templates/xdebug.ini.j2 b/roles/xdebug/templates/xdebug.ini.j2 index 06abd75264..72435a2bf8 100644 --- a/roles/xdebug/templates/xdebug.ini.j2 +++ b/roles/xdebug/templates/xdebug.ini.j2 @@ -1,7 +1,7 @@ ; {{ ansible_managed }} [XDebug] -zend_extension="xdebug.so" +zend_extension=xdebug.so ; Remote Debugging xdebug.remote_enable={{ xdebug_remote_enable }} @@ -9,8 +9,8 @@ xdebug.remote_connect_back={{ xdebug_remote_connect_back }} xdebug.remote_host={{ xdebug_remote_host }} xdebug.remote_port={{ xdebug_remote_port }} xdebug.remote_handler=dbgp -xdebug.remote_log="{{ xdebug_remote_log }}" -xdebug.idekey="{{ xdebug_idekey }}" +xdebug.remote_log={{ xdebug_remote_log }} +xdebug.idekey={{ xdebug_idekey }} xdebug.extended_info={{ xdebug_extended_info }} xdebug.max_nesting_level={{ xdebug_max_nesting_level }} diff --git a/xdebug-tunnel.sh b/xdebug-tunnel.sh index 90795f9058..6c2fb7cac8 100644 --- a/xdebug-tunnel.sh +++ b/xdebug-tunnel.sh @@ -1,24 +1,13 @@ #!/usr/bin/env bash # Usage: -# To open a tunnel: bin/xdebug-tunnel.sh example_com_prod -# To close a tunnel: bin/xdebug-tunnel.sh example_com_prod close +# To open a tunnel: ./xdebug-tunnel.sh example_com_prod +# To close a tunnel: ./xdebug-tunnel.sh example_com_prod close -SSH_HOST="-e xdebug_tunnel_inventory_host=${1}" -MAYBE_CLOSE="${2}" -CLOSE_CONNECTION= -DEBUG="${DEBUG:-}" -VERBOSITY="${VERBOSITY:--vvvv}" -PARAMs="${PARAMS:-}" +SSH_HOST="-e xdebug_tunnel_inventory_host=$1" +XDEBUG_ENABLE="-e xdebug_remote_enable=$([[ $2 == "close" ]] && echo 0 || echo 1)" -if [[ "${MAYBE_CLOSE}" == 'close' ]]; then - PARAMS="${PARAMS} -e xdebug_tunnel_close=true -e xdebug_install=false" -else - PARAMS="${PARAMS} -e xdebug_install=true -e xdebug_remote_enable=1" +if [[ -n $DEBUG ]]; then + PARAMS="$PARAMS ${VERBOSITY:--vvvv}" fi -if [[ -n "${DEBUG}" ]]; then - PARAMS="${PARAMS} ${VERBOSITY}" -fi - -PARAMS="${SSH_HOST} ${CLOSE_CONNECTION} ${PARAMS}" -ansible-playbook xdebug-tunnel.yml ${PARAMS} +ansible-playbook xdebug-tunnel.yml $SSH_HOST $XDEBUG_ENABLE $PARAMS diff --git a/xdebug-tunnel.yml b/xdebug-tunnel.yml index 704ce636d8..19aed882cb 100644 --- a/xdebug-tunnel.yml +++ b/xdebug-tunnel.yml @@ -5,14 +5,13 @@ roles: - { role: remote-user, tags: [remote-user, always] } -- name: Enable/Disable Xdebug +- name: Enable or Disable Xdebug and SSH Tunnel hosts: "{{ xdebug_tunnel_inventory_host }}" roles: - { role: xdebug, tags: [xdebug] } - handlers: - - include: roles/common/handlers/main.yml - -- name: Manage XDebug SSH Tunnel - hosts: localhost - roles: - { role: xdebug-tunnel, tags: [xdebug-tunnel] } + handlers: + - name: reload php-fpm + service: + name: php7.0-fpm + state: reloaded From ba0f5fdecb072b3de9580933b9ed6d674607e97e Mon Sep 17 00:00:00 2001 From: Nathaniel Schweinberg Date: Mon, 7 Nov 2016 11:03:25 -0800 Subject: [PATCH 073/292] Move xdebug-tunnel.sh to bin/ --- xdebug-tunnel.sh => bin/xdebug-tunnel.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename xdebug-tunnel.sh => bin/xdebug-tunnel.sh (69%) diff --git a/xdebug-tunnel.sh b/bin/xdebug-tunnel.sh similarity index 69% rename from xdebug-tunnel.sh rename to bin/xdebug-tunnel.sh index 6c2fb7cac8..38040185c0 100644 --- a/xdebug-tunnel.sh +++ b/bin/xdebug-tunnel.sh @@ -1,7 +1,7 @@ #!/usr/bin/env bash # Usage: -# To open a tunnel: ./xdebug-tunnel.sh example_com_prod -# To close a tunnel: ./xdebug-tunnel.sh example_com_prod close +# To open a tunnel: bin/xdebug-tunnel.sh example_com_prod +# To close a tunnel: bin/xdebug-tunnel.sh example_com_prod close SSH_HOST="-e xdebug_tunnel_inventory_host=$1" XDEBUG_ENABLE="-e xdebug_remote_enable=$([[ $2 == "close" ]] && echo 0 || echo 1)" From 40c64956e7161ee5ad9d3edbb1ed61794fdf014c Mon Sep 17 00:00:00 2001 From: Nathaniel Schweinberg Date: Tue, 8 Nov 2016 12:53:32 -0800 Subject: [PATCH 074/292] Make xdebug-tunnel.sh command more explicit --- CHANGELOG.md | 2 ++ bin/xdebug-tunnel.sh | 41 +++++++++++++++++++++++++++++++++++------ 2 files changed, 37 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b5db81eacb..58f7207fd3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,6 @@ ### HEAD +* Add `bin/xdebug-tunnel.sh` to manage Xdebug and SSH tunnels on remote hosts ([#678](https://github.com/roots/trellis/pull/678)) +* Move Xdebug installation/configuration into its own role ([#678](https://github.com/roots/trellis/pull/678)) * Disable wp-cron emails ([#685](https://github.com/roots/trellis/pull/685)) * Make `raw_vars` compatible with play vars and Ansible 2.1 ([#684](https://github.com/roots/trellis/pull/684)) * Ensure there is always at least one PHP-FPM pool defined ([#682](https://github.com/roots/trellis/pull/682)) diff --git a/bin/xdebug-tunnel.sh b/bin/xdebug-tunnel.sh index 38040185c0..8f475677ac 100644 --- a/bin/xdebug-tunnel.sh +++ b/bin/xdebug-tunnel.sh @@ -1,13 +1,42 @@ #!/usr/bin/env bash -# Usage: -# To open a tunnel: bin/xdebug-tunnel.sh example_com_prod -# To close a tunnel: bin/xdebug-tunnel.sh example_com_prod close -SSH_HOST="-e xdebug_tunnel_inventory_host=$1" -XDEBUG_ENABLE="-e xdebug_remote_enable=$([[ $2 == "close" ]] && echo 0 || echo 1)" +show_usage() { + echo " +Usage: bin/xdebug-tunnel.sh + + can be 'open' or 'close' + is the hostname, IP, or inventory alias in your \`hosts/\` file. + +Examples: + To open a tunnel: + bin/xdebug-tunnel.sh open 12.34.56.78 + + To close a tunnel: + bin/xdebug-tunnel.sh close 12.34.56.78 +" +} + +if [[ $1 == "open" ]]; then + REMOTE_ENABLE=1 +elif [[ $1 == "close" ]]; then + REMOTE_ENABLE=0 +else + >&2 echo "The provided argument '${1}' is not acceptable." + show_usage + exit 1 +fi + +if [[ -z $2 ]]; then + >&2 echo "The argument is required." + show_usage + exit 1 +fi + +XDEBUG_ENABLE="-e xdebug_remote_enable=${REMOTE_ENABLE}" +SSH_HOST="-e xdebug_tunnel_inventory_host=$2" if [[ -n $DEBUG ]]; then PARAMS="$PARAMS ${VERBOSITY:--vvvv}" fi -ansible-playbook xdebug-tunnel.yml $SSH_HOST $XDEBUG_ENABLE $PARAMS +ansible-playbook xdebug-tunnel.yml $XDEBUG_ENABLE $SSH_HOST $PARAMS From 9069df80034dd76b6bf78370a746a76e43e08a35 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Tue, 8 Nov 2016 19:51:20 -0700 Subject: [PATCH 075/292] Make xdebug-tunnel.sh executable --- bin/xdebug-tunnel.sh | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 bin/xdebug-tunnel.sh diff --git a/bin/xdebug-tunnel.sh b/bin/xdebug-tunnel.sh old mode 100644 new mode 100755 From 7340976c4bb983324526eb7f481b44f5d82e1f2e Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Fri, 11 Nov 2016 12:13:54 -0700 Subject: [PATCH 076/292] Add myhostname to nsswitch.conf to ensure resolvable hostname --- CHANGELOG.md | 1 + roles/common/tasks/main.yml | 10 ++++++++++ 2 files changed, 11 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 58f7207fd3..b5f37bdf16 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Add myhostname to nsswitch.conf to ensure resolvable hostname ([#686](https://github.com/roots/trellis/pull/686)) * Add `bin/xdebug-tunnel.sh` to manage Xdebug and SSH tunnels on remote hosts ([#678](https://github.com/roots/trellis/pull/678)) * Move Xdebug installation/configuration into its own role ([#678](https://github.com/roots/trellis/pull/678)) * Disable wp-cron emails ([#685](https://github.com/roots/trellis/pull/685)) diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 6d11d66b15..622cf87e80 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -60,6 +60,7 @@ - curl - git-core - dbus + - libnss-myhostname - name: Validate timezone variable stat: @@ -71,3 +72,12 @@ fail: msg: "{{ ntp_timezone }} is not a valid timezone. For a list of valid timezones, check https://php.net/manual/en/timezones.php" when: not timezone_path.stat.exists + +- name: Add myhostname to nsswitch.conf to ensure resolvable hostname + lineinfile: + backrefs: yes + backup: yes + dest: /etc/nsswitch.conf + line: \1 myhostname + regexp: ^(hosts\:((?!myhostname).)*)$ + state: present From 0aebdd69feb19c94416429bb44ee54974a56194f Mon Sep 17 00:00:00 2001 From: Nathaniel Schweinberg Date: Fri, 4 Nov 2016 10:03:00 -0700 Subject: [PATCH 077/292] Move *.sh files to bin/ --- CHANGELOG.md | 2 +- README.md | 2 +- Vagrantfile | 2 +- deploy.sh => bin/deploy.sh | 0 windows.sh => bin/windows.sh | 2 +- 5 files changed, 4 insertions(+), 4 deletions(-) rename deploy.sh => bin/deploy.sh (100%) rename windows.sh => bin/windows.sh (94%) diff --git a/CHANGELOG.md b/CHANGELOG.md index b5f37bdf16..2bbde8d91f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -157,7 +157,7 @@ * Fix PHP error handling * Flush wp db theme roots on deploy * Stop recursive copying of vendor -* Update the windows.sh script with absolute path +* Update the bin/windows.sh script with absolute path * Conditionally copy .env into web root * Add subtree commented out * Add Composer binary path to the default path diff --git a/README.md b/README.md index 5b572c417a..03db0da588 100644 --- a/README.md +++ b/README.md @@ -85,7 +85,7 @@ A base Ubuntu 16.04 server is required for setting up remote servers. OS X users 1. Add the `repo` (Git URL) of your Bedrock WordPress project in the corresponding `group_vars//wordpress_sites.yml` file 2. Set the `branch` you want to deploy -3. Run `./deploy.sh ` +3. Run `./bin/deploy.sh ` 4. To rollback a deploy, run `ansible-playbook rollback.yml -e "site= env="` [Read the deploys docs](https://roots.io/trellis/docs/deploys/) for more information. diff --git a/Vagrantfile b/Vagrantfile index ff7bbfc861..56f260dde8 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -89,7 +89,7 @@ Vagrant.configure('2') do |config| if Vagrant::Util::Platform.windows? config.vm.provision :shell do |sh| - sh.path = File.join(ANSIBLE_PATH, 'windows.sh') + sh.path = File.join(ANSIBLE_PATH, 'bin/windows.sh') sh.args = [Vagrant::VERSION] sh.keep_color = true end diff --git a/deploy.sh b/bin/deploy.sh similarity index 100% rename from deploy.sh rename to bin/deploy.sh diff --git a/windows.sh b/bin/windows.sh similarity index 94% rename from windows.sh rename to bin/windows.sh index 56697ff942..f563c1cff8 100644 --- a/windows.sh +++ b/bin/windows.sh @@ -5,7 +5,7 @@ # @author Andrea Brandi # @version 1.0 -ANSIBLE_PATH="$(find /vagrant -name 'windows.sh' -printf '%h' -quit)" +ANSIBLE_PATH="$(find /vagrant -name 'bin/windows.sh' -printf '%h' -quit)" export PYTHONUNBUFFERED=1 # Create an ssh key if not already created. From d10fb2f9de835eebbac23e6047c1a71e8c9fb3f2 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 30 Nov 2016 22:20:27 -0500 Subject: [PATCH 078/292] Add CHANGELOG entry --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2bbde8d91f..908d71fd7d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* [BREAKING] Move shell scripts to bin/ directory ([#680](https://github.com/roots/trellis/pull/680)) * Add myhostname to nsswitch.conf to ensure resolvable hostname ([#686](https://github.com/roots/trellis/pull/686)) * Add `bin/xdebug-tunnel.sh` to manage Xdebug and SSH tunnels on remote hosts ([#678](https://github.com/roots/trellis/pull/678)) * Move Xdebug installation/configuration into its own role ([#678](https://github.com/roots/trellis/pull/678)) From ffc9e579b508a748c80080a672407e42acf11d6b Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sat, 12 Nov 2016 18:47:50 -0700 Subject: [PATCH 079/292] Move Nginx includes tasks to separate task file --- roles/wordpress-setup/tasks/main.yml | 3 ++ .../wordpress-setup/tasks/nginx-includes.yml | 32 +++++++++++++++++++ roles/wordpress-setup/tasks/nginx.yml | 32 ------------------- 3 files changed, 35 insertions(+), 32 deletions(-) create mode 100644 roles/wordpress-setup/tasks/nginx-includes.yml diff --git a/roles/wordpress-setup/tasks/main.yml b/roles/wordpress-setup/tasks/main.yml index 390014556f..8bb6ce58b5 100644 --- a/roles/wordpress-setup/tasks/main.yml +++ b/roles/wordpress-setup/tasks/main.yml @@ -35,6 +35,9 @@ when: disable_default_pool | default(true) notify: reload php-fpm +- include: nginx-includes.yml + tags: [wordpress-setup-nginx-includes, wordpress-setup-nginx] + - include: nginx.yml tags: wordpress-setup-nginx diff --git a/roles/wordpress-setup/tasks/nginx-includes.yml b/roles/wordpress-setup/tasks/nginx-includes.yml new file mode 100644 index 0000000000..9eee932d73 --- /dev/null +++ b/roles/wordpress-setup/tasks/nginx-includes.yml @@ -0,0 +1,32 @@ +--- +- name: Create includes.d directories + file: + path: "{{ nginx_path }}/includes.d/{{ item }}" + state: directory + mode: 0755 + with_items: "{{ wordpress_sites.keys() }}" + register: nginx_includes_paths + +- name: Template files out to includes.d + template: + src: "includes.d/{{ item }}" + dest: "{{ nginx_path }}/includes.d/{{ item[:-3] }}" + with_lines: "cd {{ role_path }}/templates/includes.d && find {{ wordpress_sites.keys() | join(' ') }} -type f -name \\*.conf.j2 2>/dev/null || :" + register: nginx_includes_managed + notify: reload nginx + +- name: Retrieve list of existing files in includes.d + shell: "find {{ nginx_includes_paths.results | map(attribute='path') | join(' ') }} -type f -name \\*.conf 2>/dev/null || :" + register: nginx_includes_existing + changed_when: false + +- name: Remove unmanaged files from includes.d + file: + path: "{{ item }}" + state: absent + with_items: "{{ nginx_includes_existing.stdout_lines | + difference(nginx_includes_managed.results | default([]) | map(attribute='item') | + map('regex_replace', '(.*)\\.j2', '/etc/nginx/includes.d/\\1') | list + ) + }}" + notify: reload nginx diff --git a/roles/wordpress-setup/tasks/nginx.yml b/roles/wordpress-setup/tasks/nginx.yml index 1ef7378b56..64f9003b66 100644 --- a/roles/wordpress-setup/tasks/nginx.yml +++ b/roles/wordpress-setup/tasks/nginx.yml @@ -15,38 +15,6 @@ with_dict: "{{ wordpress_sites }}" when: item.value.ssl.enabled and item.value.ssl.key is defined -- name: Create includes.d directories - file: - path: "{{ nginx_path }}/includes.d/{{ item }}" - state: directory - mode: 0755 - with_items: "{{ wordpress_sites.keys() }}" - register: nginx_includes_paths - -- name: Template files out to includes.d - template: - src: "includes.d/{{ item }}" - dest: "{{ nginx_path }}/includes.d/{{ item[:-3] }}" - with_lines: "cd {{ role_path }}/templates/includes.d && find {{ wordpress_sites.keys() | join(' ') }} -type f -name \\*.conf.j2 2>/dev/null || :" - register: nginx_includes_managed - notify: reload nginx - -- name: Retrieve list of existing files in includes.d - shell: "find {{ nginx_includes_paths.results | map(attribute='path') | join(' ') }} -type f -name \\*.conf 2>/dev/null || :" - register: nginx_includes_existing - changed_when: false - -- name: Remove unmanaged files from includes.d - file: - path: "{{ item }}" - state: absent - with_items: "{{ nginx_includes_existing.stdout_lines | - difference(nginx_includes_managed.results | default([]) | map(attribute='item') | - map('regex_replace', '(.*)\\.j2', '/etc/nginx/includes.d/\\1') | list - ) - }}" - notify: reload nginx - - name: Create Nginx conf for challenges location template: src: "{{ playbook_dir }}/roles/letsencrypt/templates/acme-challenge-location.conf.j2" From 4b3a97230f575f1945df5812e1ef54ba2176f163 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sat, 12 Nov 2016 21:17:29 -0700 Subject: [PATCH 080/292] Use find module to build list of Nginx includes without errors --- roles/wordpress-setup/tasks/nginx-includes.yml | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/roles/wordpress-setup/tasks/nginx-includes.yml b/roles/wordpress-setup/tasks/nginx-includes.yml index 9eee932d73..e5c8911dc8 100644 --- a/roles/wordpress-setup/tasks/nginx-includes.yml +++ b/roles/wordpress-setup/tasks/nginx-includes.yml @@ -1,17 +1,26 @@ --- +- name: Build list of Nginx includes templates + find: + paths: roles/wordpress-setup/templates/includes.d + pattern: "*.conf.j2" + recurse: yes + become: no + connection: local + register: nginx_includes_templates + - name: Create includes.d directories file: path: "{{ nginx_path }}/includes.d/{{ item }}" state: directory mode: 0755 - with_items: "{{ wordpress_sites.keys() }}" + with_items: "{{ nginx_includes_templates.files | map(attribute='path') | map('relpath', 'roles/wordpress-setup/templates/includes.d') | map('dirname') | unique | select | list | sort }}" register: nginx_includes_paths - name: Template files out to includes.d template: - src: "includes.d/{{ item }}" - dest: "{{ nginx_path }}/includes.d/{{ item[:-3] }}" - with_lines: "cd {{ role_path }}/templates/includes.d && find {{ wordpress_sites.keys() | join(' ') }} -type f -name \\*.conf.j2 2>/dev/null || :" + src: "{{ item }}" + dest: "{{ nginx_path }}/includes.d/{{ item[:-3] | relpath('roles/wordpress-setup/templates/includes.d') }}" + with_items: "{{ nginx_includes_templates.files | map(attribute='path') | list }}" register: nginx_includes_managed notify: reload nginx From f68f60ca3930a5cc046db391bb3d6036de769657 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sat, 12 Nov 2016 21:35:33 -0700 Subject: [PATCH 081/292] Begin using new nginx_includes_templates_path --- roles/wordpress-setup/defaults/main.yml | 1 + roles/wordpress-setup/tasks/nginx-includes.yml | 18 ++++++++++++++---- 2 files changed, 15 insertions(+), 4 deletions(-) diff --git a/roles/wordpress-setup/defaults/main.yml b/roles/wordpress-setup/defaults/main.yml index dca1ba5052..6dd9b1c1cc 100644 --- a/roles/wordpress-setup/defaults/main.yml +++ b/roles/wordpress-setup/defaults/main.yml @@ -1 +1,2 @@ site_uses_local_db: "{{ site_env.db_host == 'localhost' }}" +nginx_includes_templates_path: nginx-includes diff --git a/roles/wordpress-setup/tasks/nginx-includes.yml b/roles/wordpress-setup/tasks/nginx-includes.yml index e5c8911dc8..52ccaad4f5 100644 --- a/roles/wordpress-setup/tasks/nginx-includes.yml +++ b/roles/wordpress-setup/tasks/nginx-includes.yml @@ -1,26 +1,36 @@ --- - name: Build list of Nginx includes templates find: - paths: roles/wordpress-setup/templates/includes.d + paths: + - "{{ nginx_includes_templates_path }}" + - roles/wordpress-setup/templates/includes.d pattern: "*.conf.j2" recurse: yes become: no connection: local register: nginx_includes_templates +- name: Warn about deprecated Nginx includes directory + debug: + msg: "[DEPRECATION WARNING]: The `roles/wordpress-setup/templates/includes.d` directory for Trellis Nginx includes templates is deprecated and will no longer function beginning with Trellis 1.0. Please move these templates to a directory named `{{ nginx_includes_templates_path }}` in the root of this project. For more information, see https://roots.io/trellis/docs/nginx-includes/" + when: True in nginx_includes_templates.files | map(attribute='path') | map('search', 'roles/wordpress-setup/templates/includes.d') | list + - name: Create includes.d directories file: path: "{{ nginx_path }}/includes.d/{{ item }}" state: directory mode: 0755 - with_items: "{{ nginx_includes_templates.files | map(attribute='path') | map('relpath', 'roles/wordpress-setup/templates/includes.d') | map('dirname') | unique | select | list | sort }}" + with_items: "{{ nginx_includes_templates.files | map(attribute='path') | + map('regex_replace', '^(' + nginx_includes_templates_path + '|.*includes\\.d)\\/(.*)$', '\\2') | + map('dirname') | unique | select | list | sort + }}" register: nginx_includes_paths - name: Template files out to includes.d template: src: "{{ item }}" - dest: "{{ nginx_path }}/includes.d/{{ item[:-3] | relpath('roles/wordpress-setup/templates/includes.d') }}" - with_items: "{{ nginx_includes_templates.files | map(attribute='path') | list }}" + dest: "{{ nginx_path }}/includes.d/{{ item | regex_replace('^(' + nginx_includes_templates_path + '|.*includes\\.d)\\/(.*)\\.j2$', '\\2') }}" + with_items: "{{ nginx_includes_templates.files | map(attribute='path') | list | sort(True) }}" register: nginx_includes_managed notify: reload nginx From 36b331f86028f45a57676b90a1b133537e953b86 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sat, 12 Nov 2016 23:17:31 -0700 Subject: [PATCH 082/292] Make Nginx includes.d cleanup conditional and use find module --- roles/wordpress-setup/defaults/main.yml | 1 + roles/wordpress-setup/tasks/nginx-includes.yml | 18 ++++++++++-------- 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/roles/wordpress-setup/defaults/main.yml b/roles/wordpress-setup/defaults/main.yml index 6dd9b1c1cc..b928f2380a 100644 --- a/roles/wordpress-setup/defaults/main.yml +++ b/roles/wordpress-setup/defaults/main.yml @@ -1,2 +1,3 @@ site_uses_local_db: "{{ site_env.db_host == 'localhost' }}" nginx_includes_templates_path: nginx-includes +nginx_includes_d_cleanup: true diff --git a/roles/wordpress-setup/tasks/nginx-includes.yml b/roles/wordpress-setup/tasks/nginx-includes.yml index 52ccaad4f5..17811f9bb8 100644 --- a/roles/wordpress-setup/tasks/nginx-includes.yml +++ b/roles/wordpress-setup/tasks/nginx-includes.yml @@ -24,28 +24,30 @@ map('regex_replace', '^(' + nginx_includes_templates_path + '|.*includes\\.d)\\/(.*)$', '\\2') | map('dirname') | unique | select | list | sort }}" - register: nginx_includes_paths - name: Template files out to includes.d template: src: "{{ item }}" dest: "{{ nginx_path }}/includes.d/{{ item | regex_replace('^(' + nginx_includes_templates_path + '|.*includes\\.d)\\/(.*)\\.j2$', '\\2') }}" with_items: "{{ nginx_includes_templates.files | map(attribute='path') | list | sort(True) }}" - register: nginx_includes_managed notify: reload nginx - name: Retrieve list of existing files in includes.d - shell: "find {{ nginx_includes_paths.results | map(attribute='path') | join(' ') }} -type f -name \\*.conf 2>/dev/null || :" + find: + paths: "{{ nginx_path }}/includes.d" + pattern: "*.conf" + recurse: yes register: nginx_includes_existing - changed_when: false + when: nginx_includes_d_cleanup - name: Remove unmanaged files from includes.d file: path: "{{ item }}" state: absent - with_items: "{{ nginx_includes_existing.stdout_lines | - difference(nginx_includes_managed.results | default([]) | map(attribute='item') | - map('regex_replace', '(.*)\\.j2', '/etc/nginx/includes.d/\\1') | list - ) + with_items: "{{ nginx_includes_existing.files | default({}) | map(attribute='path') | + difference(nginx_includes_templates.files | map(attribute='path') | + map('regex_replace', '^(' + nginx_includes_templates_path + '|.*includes\\.d)(.*)\\.j2$', nginx_path + '/includes.d\\2') | unique + ) | list }}" + when: nginx_includes_d_cleanup notify: reload nginx From 91ea970c70dc59aaa13d0346f1cd1da689f843a0 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Tue, 15 Nov 2016 18:10:20 -0700 Subject: [PATCH 083/292] Use more precise regex patterns in Nginx includes tasks --- CHANGELOG.md | 1 + roles/wordpress-setup/defaults/main.yml | 2 ++ roles/wordpress-setup/tasks/nginx-includes.yml | 12 ++++++------ 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 908d71fd7d..b0e0d497d9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Nginx includes: Move templates dir, fix 'No such file' error ([#687](https://github.com/roots/trellis/pull/687)) * [BREAKING] Move shell scripts to bin/ directory ([#680](https://github.com/roots/trellis/pull/680)) * Add myhostname to nsswitch.conf to ensure resolvable hostname ([#686](https://github.com/roots/trellis/pull/686)) * Add `bin/xdebug-tunnel.sh` to manage Xdebug and SSH tunnels on remote hosts ([#678](https://github.com/roots/trellis/pull/678)) diff --git a/roles/wordpress-setup/defaults/main.yml b/roles/wordpress-setup/defaults/main.yml index b928f2380a..8cb21c1b9a 100644 --- a/roles/wordpress-setup/defaults/main.yml +++ b/roles/wordpress-setup/defaults/main.yml @@ -1,3 +1,5 @@ site_uses_local_db: "{{ site_env.db_host == 'localhost' }}" nginx_includes_templates_path: nginx-includes +nginx_includes_deprecated: roles/wordpress-setup/templates/includes.d +nginx_includes_pattern: "^({{ nginx_includes_templates_path | regex_escape }}|{{ nginx_includes_deprecated | regex_escape }})/(.*)\\.j2$" nginx_includes_d_cleanup: true diff --git a/roles/wordpress-setup/tasks/nginx-includes.yml b/roles/wordpress-setup/tasks/nginx-includes.yml index 17811f9bb8..911807655c 100644 --- a/roles/wordpress-setup/tasks/nginx-includes.yml +++ b/roles/wordpress-setup/tasks/nginx-includes.yml @@ -3,7 +3,7 @@ find: paths: - "{{ nginx_includes_templates_path }}" - - roles/wordpress-setup/templates/includes.d + - "{{ nginx_includes_deprecated }}" pattern: "*.conf.j2" recurse: yes become: no @@ -12,8 +12,8 @@ - name: Warn about deprecated Nginx includes directory debug: - msg: "[DEPRECATION WARNING]: The `roles/wordpress-setup/templates/includes.d` directory for Trellis Nginx includes templates is deprecated and will no longer function beginning with Trellis 1.0. Please move these templates to a directory named `{{ nginx_includes_templates_path }}` in the root of this project. For more information, see https://roots.io/trellis/docs/nginx-includes/" - when: True in nginx_includes_templates.files | map(attribute='path') | map('search', 'roles/wordpress-setup/templates/includes.d') | list + msg: "[DEPRECATION WARNING]: The `{{ nginx_includes_deprecated }}` directory for Trellis Nginx includes templates is deprecated and will no longer function beginning with Trellis 1.0. Please move these templates to a directory named `{{ nginx_includes_templates_path }}` in the root of this project. For more information, see https://roots.io/trellis/docs/nginx-includes/" + when: True in nginx_includes_templates.files | map(attribute='path') | map('search', nginx_includes_deprecated | regex_escape) | list - name: Create includes.d directories file: @@ -21,14 +21,14 @@ state: directory mode: 0755 with_items: "{{ nginx_includes_templates.files | map(attribute='path') | - map('regex_replace', '^(' + nginx_includes_templates_path + '|.*includes\\.d)\\/(.*)$', '\\2') | + map('regex_replace', nginx_includes_pattern, '\\2') | map('dirname') | unique | select | list | sort }}" - name: Template files out to includes.d template: src: "{{ item }}" - dest: "{{ nginx_path }}/includes.d/{{ item | regex_replace('^(' + nginx_includes_templates_path + '|.*includes\\.d)\\/(.*)\\.j2$', '\\2') }}" + dest: "{{ nginx_path }}/includes.d/{{ item | regex_replace(nginx_includes_pattern, '\\2') }}" with_items: "{{ nginx_includes_templates.files | map(attribute='path') | list | sort(True) }}" notify: reload nginx @@ -46,7 +46,7 @@ state: absent with_items: "{{ nginx_includes_existing.files | default({}) | map(attribute='path') | difference(nginx_includes_templates.files | map(attribute='path') | - map('regex_replace', '^(' + nginx_includes_templates_path + '|.*includes\\.d)(.*)\\.j2$', nginx_path + '/includes.d\\2') | unique + map('regex_replace', nginx_includes_pattern, nginx_path + '/includes.d/\\2') | unique ) | list }}" when: nginx_includes_d_cleanup From b961f8c45ee780abbb5dfc1df401eca4761c1df8 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Thu, 1 Dec 2016 03:37:28 -0700 Subject: [PATCH 084/292] Fix 404s by moving skip_cache conditions to server block --- CHANGELOG.md | 1 + .../templates/wordpress-site.conf.j2 | 37 ++++++++++--------- 2 files changed, 20 insertions(+), 18 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b0e0d497d9..1a66537c15 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Fix 404s by moving skip_cache conditions to server block ([#692](https://github.com/roots/trellis/pull/692)) * Nginx includes: Move templates dir, fix 'No such file' error ([#687](https://github.com/roots/trellis/pull/687)) * [BREAKING] Move shell scripts to bin/ directory ([#680](https://github.com/roots/trellis/pull/680)) * Add myhostname to nsswitch.conf to ensure resolvable hostname ([#686](https://github.com/roots/trellis/pull/686)) diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index 2393e57500..12a26cc5b4 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -40,30 +40,31 @@ server { include acme-challenge-location.conf; {% endif %} - include includes.d/{{ item.key }}/*.conf; - include wordpress.conf; + {% if item.value.cache is defined and item.value.cache.enabled | default(false) -%} + set $skip_cache 0; - location ~ \.php$ { - try_files $uri =404; - error_page 404 /index.php; + if ($query_string != "") { + set $skip_cache 1; + } - {% if item.value.cache is defined and item.value.cache.enabled | default(false) -%} - set $skip_cache 0; + # Don't cache uris containing the following segments + if ($request_uri ~* "{{ item.value.cache.skip_cache_uri | default(nginx_skip_cache_uri) }}") { + set $skip_cache 1; + } - if ($query_string != "") { - set $skip_cache 1; - } + # Don't use the cache if cookies includes the following + if ($http_cookie ~* "{{ item.value.cache.skip_cache_cookie | default(nginx_skip_cache_cookie) }}") { + set $skip_cache 1; + } + {% endif -%} - # Don't cache uris containing the following segments - if ($request_uri ~* "{{ item.value.cache.skip_cache_uri | default(nginx_skip_cache_uri) }}") { - set $skip_cache 1; - } + include includes.d/{{ item.key }}/*.conf; + include wordpress.conf; - # Don't use the cache if cookies includes the following - if ($http_cookie ~* "{{ item.value.cache.skip_cache_cookie | default(nginx_skip_cache_cookie) }}") { - set $skip_cache 1; - } + location ~ \.php$ { + try_files $uri /index.php; + {% if item.value.cache is defined and item.value.cache.enabled | default(false) -%} fastcgi_cache wordpress; fastcgi_cache_valid {{ item.value.cache.duration | default(nginx_cache_duration) }}; fastcgi_cache_bypass $skip_cache; From f7873ec29f7544b20255e05aaadd18403b98307b Mon Sep 17 00:00:00 2001 From: RiFi2k Date: Thu, 1 Dec 2016 20:31:25 -0500 Subject: [PATCH 085/292] Switch to distro packages for MariaDB Use official Ubuntu managed packages for simplicity --- roles/mariadb/defaults/main.yml | 4 ---- roles/mariadb/tasks/main.yml | 13 ------------- 2 files changed, 17 deletions(-) diff --git a/roles/mariadb/defaults/main.yml b/roles/mariadb/defaults/main.yml index 32b3d530d4..3a78b43da7 100644 --- a/roles/mariadb/defaults/main.yml +++ b/roles/mariadb/defaults/main.yml @@ -1,8 +1,4 @@ mariadb_binary_logging_disabled: true -mariadb_keyserver_fingerprint: "0xcbcb082a1bb943db" -mariadb_mirror: nyc2.mirrors.digitalocean.com -mariadb_version: "10.0" -mariadb_dist: trusty mysql_root_user: root sites_using_remote_db: "[{% for name, site in wordpress_sites.iteritems() if site.env is defined and site.env.db_host | default('localhost') != 'localhost' %}'{{ name }}',{% endfor %}]" diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index a957171a0e..7617f55968 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -1,17 +1,4 @@ --- -- name: Add MariaDB MySQL apt-key - apt_key: - url: "http://keyserver.ubuntu.com/pks/lookup?op=get&fingerprint=on&search={{ mariadb_keyserver_fingerprint }}" - state: present - -- name: Add MariaDB MySQL deb and deb-src - apt_repository: - repo: "{{ item }}" - state: present - with_items: - - "deb http://{{ mariadb_mirror }}/mariadb/repo/{{ mariadb_version }}/ubuntu {{ mariadb_dist | default(ansible_distribution_release) }} main" - - "deb-src http://{{ mariadb_mirror }}/mariadb/repo/{{ mariadb_version }}/ubuntu {{ mariadb_dist | default(ansible_distribution_release) }} main" - - name: Install MySQL client apt: name: mariadb-client From 4126c5ae447641d7401ef57607979002d8841ac1 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Thu, 1 Dec 2016 18:36:14 -0700 Subject: [PATCH 086/292] Composer install: Use composer module and run as non-root --- roles/deploy/hooks/build-after.yml | 6 +++--- roles/wordpress-install/tasks/main.yml | 10 +++++----- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/roles/deploy/hooks/build-after.yml b/roles/deploy/hooks/build-after.yml index ba0e31b0a7..d9d5da1c6d 100644 --- a/roles/deploy/hooks/build-after.yml +++ b/roles/deploy/hooks/build-after.yml @@ -10,6 +10,6 @@ when: not composer_json.stat.exists - name: Install Composer dependencies - command: composer install --no-ansi --no-dev --no-interaction --no-progress --optimize-autoloader --no-scripts - args: - chdir: "{{ deploy_helper.new_release_path }}" + composer: + no_scripts: yes + working_dir: "{{ deploy_helper.new_release_path }}" diff --git a/roles/wordpress-install/tasks/main.yml b/roles/wordpress-install/tasks/main.yml index 934d232416..06a8d11a1e 100644 --- a/roles/wordpress-install/tasks/main.yml +++ b/roles/wordpress-install/tasks/main.yml @@ -17,12 +17,12 @@ changed_when: env_file.stdout == "{{ item.key }}.env" - name: Install Dependencies with Composer - command: composer install - args: - chdir: "{{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/" - register: composer_results + composer: + no_dev: no + optimize_autoloader: no + working_dir: "{{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/" + become: no with_dict: "{{ wordpress_sites }}" - changed_when: "'Nothing to install or update' not in composer_results.stderr" - name: Install WP command: wp core {{ item.value.multisite.enabled | default(false) | ternary('multisite-install', 'install') }} From 1d80bf232db5c66e9bad3905fa6d4e1ad19eedd8 Mon Sep 17 00:00:00 2001 From: Kalen Johnson Date: Fri, 2 Dec 2016 12:46:12 -0800 Subject: [PATCH 087/292] PHP 7.1 update --- dev.yml | 2 +- group_vars/all/users.yml | 2 +- roles/common/handlers/main.yml | 2 +- roles/deploy/hooks/finalize-after.yml | 2 +- roles/php/tasks/main.yml | 38 +++++++++++++-------------- roles/wordpress-setup/tasks/main.yml | 6 ++--- roles/xdebug/tasks/main.yml | 10 +++---- server.yml | 2 +- xdebug-tunnel.yml | 2 +- 9 files changed, 33 insertions(+), 33 deletions(-) diff --git a/dev.yml b/dev.yml index 1df5a083c0..156e7fe0d4 100644 --- a/dev.yml +++ b/dev.yml @@ -1,5 +1,5 @@ --- -- name: "WordPress Server: Install LEMP Stack with PHP 7.0 and MariaDB MySQL" +- name: "WordPress Server: Install LEMP Stack with PHP 7.1 and MariaDB MySQL" hosts: web:&development become: yes remote_user: vagrant diff --git a/group_vars/all/users.yml b/group_vars/all/users.yml index 2e3b75ead6..e2d615012f 100644 --- a/group_vars/all/users.yml +++ b/group_vars/all/users.yml @@ -19,4 +19,4 @@ users: web_user: web web_group: www-data web_sudoers: - - "/usr/sbin/service php7.0-fpm *" + - "/usr/sbin/service php7.1-fpm *" diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index 4f1e2add53..801e23c8b8 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -6,7 +6,7 @@ - name: reload php-fpm service: - name: php7.0-fpm + name: php7.1-fpm state: reloaded - name: reload nginx diff --git a/roles/deploy/hooks/finalize-after.yml b/roles/deploy/hooks/finalize-after.yml index 6be3b71bdd..60ba3a9696 100644 --- a/roles/deploy/hooks/finalize-after.yml +++ b/roles/deploy/hooks/finalize-after.yml @@ -31,7 +31,7 @@ when: wp_installed | success and project.multisite.enabled | default(false) - name: Reload php-fpm - shell: sudo service php7.0-fpm reload + shell: sudo service php7.1-fpm reload args: chdir: "{{ deploy_helper.new_release_path }}" warn: false diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml index 45f7f0ca05..eb42df235a 100644 --- a/roles/php/tasks/main.yml +++ b/roles/php/tasks/main.yml @@ -1,42 +1,42 @@ --- -- name: Add PHP 7.0 PPA +- name: Add PHP 7.1 PPA apt_repository: repo: "ppa:ondrej/php" update_cache: yes -- name: Install PHP 7.0 +- name: Install PHP 7.1 apt: name: "{{ item }}" state: present force: yes with_items: - - php7.0-cli - - php7.0-common - - php7.0-curl - - php7.0-dev - - php7.0-fpm - - php7.0-gd - - php7.0-mbstring - - php7.0-mcrypt - - php7.0-mysql - - php7.0-opcache - - php7.0-xml - - php7.0-xmlrpc - - php7.0-zip + - php7.1-cli + - php7.1-common + - php7.1-curl + - php7.1-dev + - php7.1-fpm + - php7.1-gd + - php7.1-mbstring + - php7.1-mcrypt + - php7.1-mysql + - php7.1-opcache + - php7.1-xml + - php7.1-xmlrpc + - php7.1-zip -- name: Start php7.0-fpm service +- name: Start php7.1-fpm service service: - name: php7.0-fpm + name: php7.1-fpm state: started enabled: true - name: Create socket directory file: - path: /var/run/php7.0-fpm/ + path: /var/run/php7.1-fpm/ state: directory - name: PHP configuration file template: src: php.ini.j2 - dest: /etc/php/7.0/fpm/php.ini + dest: /etc/php/7.1/fpm/php.ini notify: reload php-fpm diff --git a/roles/wordpress-setup/tasks/main.yml b/roles/wordpress-setup/tasks/main.yml index 8bb6ce58b5..79b59be7c0 100644 --- a/roles/wordpress-setup/tasks/main.yml +++ b/roles/wordpress-setup/tasks/main.yml @@ -25,13 +25,13 @@ - name: Create WordPress php-fpm configuration file template: src: php-fpm.conf.j2 - dest: /etc/php/7.0/fpm/pool.d/wordpress.conf + dest: /etc/php/7.1/fpm/pool.d/wordpress.conf notify: reload php-fpm - name: Disable default PHP-FPM pool - command: mv /etc/php/7.0/fpm/pool.d/www.conf /etc/php/7.0/fpm/pool.d/www.disabled + command: mv /etc/php/7.1/fpm/pool.d/www.conf /etc/php/7.1/fpm/pool.d/www.disabled args: - creates: /etc/php/7.0/fpm/pool.d/www.disabled + creates: /etc/php/7.1/fpm/pool.d/www.disabled when: disable_default_pool | default(true) notify: reload php-fpm diff --git a/roles/xdebug/tasks/main.yml b/roles/xdebug/tasks/main.yml index ae88b34d50..30dec3ca7d 100644 --- a/roles/xdebug/tasks/main.yml +++ b/roles/xdebug/tasks/main.yml @@ -8,13 +8,13 @@ - name: Template the Xdebug configuration file template: src: xdebug.ini.j2 - dest: /etc/php/7.0/mods-available/xdebug.ini + dest: /etc/php/7.1/mods-available/xdebug.ini notify: reload php-fpm - name: Ensure 20-xdebug.ini is present file: - src: /etc/php/7.0/mods-available/xdebug.ini - dest: /etc/php/7.0/fpm/conf.d/20-xdebug.ini + src: /etc/php/7.1/mods-available/xdebug.ini + dest: /etc/php/7.1/fpm/conf.d/20-xdebug.ini state: link notify: reload php-fpm @@ -22,12 +22,12 @@ - name: Disable Xdebug file: - path: /etc/php/7.0/fpm/conf.d/20-xdebug.ini + path: /etc/php/7.1/fpm/conf.d/20-xdebug.ini state: absent when: not xdebug_remote_enable | bool notify: reload php-fpm - name: Disable Xdebug CLI file: - path: /etc/php/7.0/cli/conf.d/20-xdebug.ini + path: /etc/php/7.1/cli/conf.d/20-xdebug.ini state: absent diff --git a/server.yml b/server.yml index b53b063a28..ba7843cf07 100644 --- a/server.yml +++ b/server.yml @@ -17,7 +17,7 @@ - name: Install Python 2.x raw: sudo apt-get install -qq -y python-simplejson -- name: WordPress Server - Install LEMP Stack with PHP 7.0 and MariaDB MySQL +- name: WordPress Server - Install LEMP Stack with PHP 7.1 and MariaDB MySQL hosts: web:&{{ env }} become: yes roles: diff --git a/xdebug-tunnel.yml b/xdebug-tunnel.yml index 19aed882cb..a6cbb5df77 100644 --- a/xdebug-tunnel.yml +++ b/xdebug-tunnel.yml @@ -13,5 +13,5 @@ handlers: - name: reload php-fpm service: - name: php7.0-fpm + name: php7.1-fpm state: reloaded From c6d3fdc88a49d356264f4f622f925e49b607a4f5 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Fri, 2 Dec 2016 15:09:50 -0700 Subject: [PATCH 088/292] Fix ANSIBLE_PATH in windows.sh --- bin/windows.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/windows.sh b/bin/windows.sh index f563c1cff8..896dd4af04 100644 --- a/bin/windows.sh +++ b/bin/windows.sh @@ -5,7 +5,7 @@ # @author Andrea Brandi # @version 1.0 -ANSIBLE_PATH="$(find /vagrant -name 'bin/windows.sh' -printf '%h' -quit)" +ANSIBLE_PATH="$(find /vagrant -name 'dev.yml' -printf '%h' -quit)" export PYTHONUNBUFFERED=1 # Create an ssh key if not already created. From 37b314f11d044f50a1343e50727961c1025c00a8 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 2 Dec 2016 20:01:23 -0500 Subject: [PATCH 089/292] Bump CHANGELOG --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1a66537c15..fe5d78deb8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Install MariaDB via Ubuntu's official distro packages ([#693](https://github.com/roots/trellis/pull/693)) * Fix 404s by moving skip_cache conditions to server block ([#692](https://github.com/roots/trellis/pull/692)) * Nginx includes: Move templates dir, fix 'No such file' error ([#687](https://github.com/roots/trellis/pull/687)) * [BREAKING] Move shell scripts to bin/ directory ([#680](https://github.com/roots/trellis/pull/680)) From 00fa27a9ba730bf4d36b9fcd05560fd7751a26c9 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Sat, 3 Dec 2016 11:27:09 -0700 Subject: [PATCH 090/292] Update ISSUE_TEMPLATE.md --- .github/ISSUE_TEMPLATE.md | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/ISSUE_TEMPLATE.md b/.github/ISSUE_TEMPLATE.md index abcad7cda5..425c793cf0 100644 --- a/.github/ISSUE_TEMPLATE.md +++ b/.github/ISSUE_TEMPLATE.md @@ -5,6 +5,7 @@ - [ ] This is a bug report - [ ] This request isn't a duplicate of an [existing issue](https://github.com/roots/trellis/issues) - [ ] I've read the [docs](https://roots.io/trellis/docs) and followed them (if applicable) +- [ ] This is not a personal support request that should be posted on the [Roots Discourse](https://discourse.roots.io/c/trellis) forums Replace any `X` with your information. From 91401bfbdfbdd4f17a82ed83b9e7f3c396f75533 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 3 Dec 2016 21:21:47 -0500 Subject: [PATCH 091/292] Fix #675 - Use log level strings for fail2ban --- roles/fail2ban/README.md | 4 ++-- roles/fail2ban/defaults/main.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/fail2ban/README.md b/roles/fail2ban/README.md index b810d7201e..a3aa07b68e 100644 --- a/roles/fail2ban/README.md +++ b/roles/fail2ban/README.md @@ -12,8 +12,8 @@ Below is a list of default values along with a description of what they do. ``` # Which log level should it be output as? -# 1 = ERROR, 2 = WARN, 3 = INFO, 4 = DEBUG -fail2ban_loglevel: 3 +# Levels: CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG. Default: ERROR +fail2ban_loglevel: WARNING # Where should log outputs be sent to? # SYSLOG, STDERR, STDOUT, file diff --git a/roles/fail2ban/defaults/main.yml b/roles/fail2ban/defaults/main.yml index b3a2b6f2ad..e75e2b194d 100644 --- a/roles/fail2ban/defaults/main.yml +++ b/roles/fail2ban/defaults/main.yml @@ -1,5 +1,5 @@ --- -fail2ban_loglevel: 3 +fail2ban_loglevel: INFO fail2ban_logtarget: /var/log/fail2ban.log fail2ban_socket: /var/run/fail2ban/fail2ban.sock From b299b331f2112c2cb5ee7fa2e7512a9e5a663821 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 3 Dec 2016 21:48:51 -0500 Subject: [PATCH 092/292] Name some Maria/MySQL things better --- roles/mariadb/defaults/main.yml | 2 +- roles/mariadb/tasks/main.yml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/mariadb/defaults/main.yml b/roles/mariadb/defaults/main.yml index 3a78b43da7..95ad282f0c 100644 --- a/roles/mariadb/defaults/main.yml +++ b/roles/mariadb/defaults/main.yml @@ -1,4 +1,4 @@ -mariadb_binary_logging_disabled: true +mysql_binary_logging_disabled: true mysql_root_user: root sites_using_remote_db: "[{% for name, site in wordpress_sites.iteritems() if site.env is defined and site.env.db_host | default('localhost') != 'localhost' %}'{{ name }}',{% endfor %}]" diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index 7617f55968..f579a134c7 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -5,7 +5,7 @@ state: present - block: - - name: Install MariaDB MySQL server + - name: Install MySQL server apt: name: mariadb-server state: present @@ -16,9 +16,9 @@ dest: /etc/mysql/conf.d owner: root group: root - when: mariadb_binary_logging_disabled + when: mysql_binary_logging_disabled - - name: Restart MariaDB MySQL Server + - name: Restart MySQL Server service: name: mysql state: restarted From 99b4d7337e5bca893c60f28528bd6f3418a084d7 Mon Sep 17 00:00:00 2001 From: Tom Smyth Date: Mon, 5 Dec 2016 13:19:11 -0500 Subject: [PATCH 093/292] Added `main` format to wordpress-sites nginx config --- roles/wordpress-setup/templates/wordpress-site.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index 12a26cc5b4..6a263ee634 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -8,7 +8,7 @@ server { {% endif %} server_name {% for host in site_hosts_canonical %}{{ host }} {% if item.value.multisite.subdomains | default(false) %}*.{{ host }} {% endif %}{% endfor %}; - access_log {{ www_root }}/{{ item.key }}/logs/access.log; + access_log {{ www_root }}/{{ item.key }}/logs/access.log main; error_log {{ www_root }}/{{ item.key }}/logs/error.log; root {{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/web; From 8453c53213eb722e5293dded8cceff3ebf33a493 Mon Sep 17 00:00:00 2001 From: Kalen Johnson Date: Mon, 5 Dec 2016 14:59:02 -0800 Subject: [PATCH 094/292] Ansible-local for Vagrant and Windows (#690) * Switch to ansible_local provisioner, remove Windows shell script * Re-add roles_paths * Combine provisioner code in Vagrantfile * CHANGELOG Update [ci skip] --- CHANGELOG.md | 1 + Vagrantfile | 49 ++++++++++++++++++------------------- bin/windows.sh | 49 ------------------------------------- roles/common/tasks/main.yml | 6 +++++ 4 files changed, 31 insertions(+), 74 deletions(-) delete mode 100644 bin/windows.sh diff --git a/CHANGELOG.md b/CHANGELOG.md index fe5d78deb8..e90afe28de 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Ansible-Local for Vagrant boxes on Windows ([#690](https://github.com/roots/trellis/pull/690)) * Install MariaDB via Ubuntu's official distro packages ([#693](https://github.com/roots/trellis/pull/693)) * Fix 404s by moving skip_cache conditions to server block ([#692](https://github.com/roots/trellis/pull/692)) * Nginx includes: Move templates dir, fix 'No such file' error ([#687](https://github.com/roots/trellis/pull/687)) diff --git a/Vagrantfile b/Vagrantfile index 56f260dde8..691d2818c5 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -30,10 +30,6 @@ else fail_with_message "#{config_file} was not found. Please set `ANSIBLE_PATH` in your Vagrantfile." end -if !Dir.exists?(ENV['ANSIBLE_ROLES_PATH']) && !Vagrant::Util::Platform.windows? - fail_with_message "You are missing the required Ansible Galaxy roles, please install them with this command:\nansible-galaxy install -r requirements.yml" -end - Vagrant.require_version '>= 1.8.5' Vagrant.configure('2') do |config| @@ -87,29 +83,32 @@ Vagrant.configure('2') do |config| end end - if Vagrant::Util::Platform.windows? - config.vm.provision :shell do |sh| - sh.path = File.join(ANSIBLE_PATH, 'bin/windows.sh') - sh.args = [Vagrant::VERSION] - sh.keep_color = true + provisioner = Vagrant::Util::Platform.windows? ? :ansible_local : :ansible + provisioning_path = Vagrant::Util::Platform.windows? ? ANSIBLE_PATH.sub(__dir__, '/vagrant') : ANSIBLE_PATH + config.vm.provision provisioner do |ansible| + if Vagrant::Util::Platform.windows? + ansible.install_mode = 'pip' + ansible.provisioning_path = provisioning_path + ansible.version = '2.2.0' end - else - config.vm.provision :ansible do |ansible| - ansible.playbook = File.join(ANSIBLE_PATH, 'dev.yml') - ansible.groups = { - 'web' => ['default'], - 'development' => ['default'] - } - - if tags = ENV['ANSIBLE_TAGS'] - ansible.tags = tags - end - ansible.extra_vars = {'vagrant_version' => Vagrant::VERSION} - if vars = ENV['ANSIBLE_VARS'] - extra_vars = Hash[vars.split(',').map { |pair| pair.split('=') }] - ansible.extra_vars.merge(extra_vars) - end + ansible.playbook = File.join(provisioning_path, 'dev.yml') + ansible.galaxy_role_file = File.join(provisioning_path, 'requirements.yml') + ansible.galaxy_roles_path = File.join(provisioning_path, 'vendor/roles') + + ansible.groups = { + 'web' => ['default'], + 'development' => ['default'] + } + + if tags = ENV['ANSIBLE_TAGS'] + ansible.tags = tags + end + + ansible.extra_vars = {'vagrant_version' => Vagrant::VERSION} + if vars = ENV['ANSIBLE_VARS'] + extra_vars = Hash[vars.split(',').map { |pair| pair.split('=') }] + ansible.extra_vars.merge(extra_vars) end end diff --git a/bin/windows.sh b/bin/windows.sh deleted file mode 100644 index 896dd4af04..0000000000 --- a/bin/windows.sh +++ /dev/null @@ -1,49 +0,0 @@ -#!/bin/bash -# -# Windows provisioner for Trellis -# heavily modified and based on KSid/windows-vagrant-ansible -# @author Andrea Brandi -# @version 1.0 - -ANSIBLE_PATH="$(find /vagrant -name 'dev.yml' -printf '%h' -quit)" -export PYTHONUNBUFFERED=1 - -# Create an ssh key if not already created. -if [ ! -f ~/.ssh/id_rsa ]; then - echo -e "\n\n\n" | ssh-keygen -t rsa -fi - -# Check SSH forwarding agent -echo ' -printf "\033[1;33m" -if ! ssh-add -l >/dev/null; then - printf "See: https://roots.io/trellis/docs/windows/#ssh-forwarding" -fi -printf "\033[0m\n\n" -' >> /home/vagrant/.profile - -# Check that add-apt-repository is installed for non-standard Vagrant boxes -if [ ! -f /usr/bin/add-apt-repository ]; then - sudo apt-get -y update - echo "Adding add-apt-repository..." - sudo apt-get -y install software-properties-common -fi - -# Install Ansible and its dependencies if not installed. -if [ ! -f /usr/bin/ansible ]; then - echo "Installing pip..." - sudo apt-get -y update - sudo apt-get -y install python-pip libssl-dev libffi-dev - echo "Installing Ansible with pip..." - sudo pip install ansible=='2.0.2.0' - sudo pip install markupsafe -fi - -if [ ! -d ${ANSIBLE_PATH}/vendor ]; then - echo "Running Ansible Galaxy install" - ansible-galaxy install -r ${ANSIBLE_PATH}/requirements.yml -p ${ANSIBLE_PATH}/vendor/roles -fi - -echo "Running Ansible Playbooks" -cd ${ANSIBLE_PATH}/ -ansible-playbook dev.yml -e vagrant_version=$1 diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 622cf87e80..ce32ce7f2a 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -81,3 +81,9 @@ line: \1 myhostname regexp: ^(hosts\:((?!myhostname).)*)$ state: present + +- name: Generate SSH key for vagrant user + user: + name: vagrant + generate_ssh_key: yes + when: env == 'development' From 51b945958e355ec2b304600821308bb9109c15d7 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Fri, 9 Dec 2016 02:35:48 -0700 Subject: [PATCH 095/292] Update apt before python install, avoid redundant cache updates --- group_vars/all/main.yml | 2 +- roles/common/tasks/main.yml | 6 ++---- roles/mariadb/tasks/main.yml | 2 ++ roles/memcached/tasks/main.yml | 1 + roles/ssmtp/tasks/main.yml | 2 ++ roles/xdebug/tasks/main.yml | 2 ++ server.yml | 4 +++- 7 files changed, 13 insertions(+), 6 deletions(-) diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index 656aa8ab7e..0a189f9617 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -1,7 +1,7 @@ composer_keep_updated: true composer_global_packages: - { name: hirak/prestissimo } -apt_cache_valid_time: 86400 +apt_cache_valid_time: 3600 ntp_timezone: Etc/UTC ntp_manage_config: true www_root: /srv/www diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index ce32ce7f2a..bf7d261c17 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -44,14 +44,12 @@ when: env != 'development' and darwin_without_passlib | default(false) run_once: true -- name: Update Apt - apt: - update_cache: yes - - name: Checking essentials apt: name: "{{ item }}" state: present + update_cache: true + cache_valid_time: "{{ apt_cache_valid_time }}" with_items: - python-software-properties - python-pycurl diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index f579a134c7..cb37c3419d 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -3,6 +3,8 @@ apt: name: mariadb-client state: present + update_cache: true + cache_valid_time: "{{ apt_cache_valid_time }}" - block: - name: Install MySQL server diff --git a/roles/memcached/tasks/main.yml b/roles/memcached/tasks/main.yml index 379c8cfac2..2e2c5dff41 100644 --- a/roles/memcached/tasks/main.yml +++ b/roles/memcached/tasks/main.yml @@ -4,6 +4,7 @@ name: "{{ item }}" state: present update_cache: yes + cache_valid_time: "{{ apt_cache_valid_time }}" with_items: - memcached - php-memcached diff --git a/roles/ssmtp/tasks/main.yml b/roles/ssmtp/tasks/main.yml index 036f98a30b..140402f1cf 100644 --- a/roles/ssmtp/tasks/main.yml +++ b/roles/ssmtp/tasks/main.yml @@ -3,6 +3,8 @@ apt: name: ssmtp state: present + update_cache: true + cache_valid_time: "{{ apt_cache_valid_time }}" - name: ssmtp configuration template: diff --git a/roles/xdebug/tasks/main.yml b/roles/xdebug/tasks/main.yml index ae88b34d50..a18b4b31b5 100644 --- a/roles/xdebug/tasks/main.yml +++ b/roles/xdebug/tasks/main.yml @@ -4,6 +4,8 @@ apt: name: php-xdebug state: latest + update_cache: true + cache_valid_time: "{{ apt_cache_valid_time }}" - name: Template the Xdebug configuration file template: diff --git a/server.yml b/server.yml index b53b063a28..da501b938e 100644 --- a/server.yml +++ b/server.yml @@ -15,7 +15,9 @@ become: yes tasks: - name: Install Python 2.x - raw: sudo apt-get install -qq -y python-simplejson + raw: which python || sudo apt-get update && sudo apt-get install -qq -y python-simplejson + register: python_check + changed_when: not python_check.stdout | search('/usr/bin/python') - name: WordPress Server - Install LEMP Stack with PHP 7.0 and MariaDB MySQL hosts: web:&{{ env }} From d9c7746c006ed09c5679044d0be8a165b30f0eea Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Fri, 9 Dec 2016 20:35:48 -0700 Subject: [PATCH 096/292] Remove obsolete references to vars_plugins path --- Vagrantfile | 1 - ansible.cfg | 1 - 2 files changed, 2 deletions(-) diff --git a/Vagrantfile b/Vagrantfile index 691d2818c5..10aab7710d 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -15,7 +15,6 @@ ENV['ANSIBLE_CALLBACK_PLUGINS'] = "~/.ansible/plugins/callback_plugins/:/usr/sha ENV['ANSIBLE_FILTER_PLUGINS'] = "~/.ansible/plugins/filter_plugins/:/usr/share/ansible_plugins/filter_plugins:#{File.join(ANSIBLE_PATH, 'lib/trellis/plugins/filter')}" ENV['ANSIBLE_LIBRARY'] = "/usr/share/ansible:#{File.join(ANSIBLE_PATH, 'lib/trellis/modules')}" ENV['ANSIBLE_ROLES_PATH'] = File.join(ANSIBLE_PATH, 'vendor', 'roles') -ENV['ANSIBLE_VARS_PLUGINS'] = "~/.ansible/plugins/vars_plugins/:/usr/share/ansible_plugins/vars_plugins:#{File.join(ANSIBLE_PATH, 'lib/trellis/plugins/vars')}" config_file = File.join(ANSIBLE_PATH, 'group_vars', 'development', 'wordpress_sites.yml') diff --git a/ansible.cfg b/ansible.cfg index 63876eae63..3f83209b27 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -7,7 +7,6 @@ force_handlers = True inventory = hosts nocows = 1 roles_path = vendor/roles -vars_plugins = ~/.ansible/plugins/vars_plugins/:/usr/share/ansible_plugins/vars_plugins:lib/trellis/plugins/vars [ssh_connection] ssh_args = -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s From 1e06b35764c333b084fab3039df5b68eeb47e736 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sun, 11 Dec 2016 14:18:35 -0500 Subject: [PATCH 097/292] Bump WP-CLI to 1.0.0 --- CHANGELOG.md | 1 + roles/wp-cli/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e90afe28de..e7bef50714 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Update WP-CLI to 1.0.0 ([#708](https://github.com/roots/trellis/pull/708)) * Ansible-Local for Vagrant boxes on Windows ([#690](https://github.com/roots/trellis/pull/690)) * Install MariaDB via Ubuntu's official distro packages ([#693](https://github.com/roots/trellis/pull/693)) * Fix 404s by moving skip_cache conditions to server block ([#692](https://github.com/roots/trellis/pull/692)) diff --git a/roles/wp-cli/defaults/main.yml b/roles/wp-cli/defaults/main.yml index 84fa502973..593f2cd4be 100644 --- a/roles/wp-cli/defaults/main.yml +++ b/roles/wp-cli/defaults/main.yml @@ -1,4 +1,4 @@ -wp_cli_version: 0.25.0 +wp_cli_version: 1.0.0 wp_cli_bin_path: /usr/bin/wp wp_cli_phar_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar" wp_cli_completion_url: "https://raw.githubusercontent.com/wp-cli/wp-cli/v{{ wp_cli_version }}/utils/wp-completion.bash" From 43eee3986465ff4b4ec13427a1eb0e7890a094ce Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sun, 11 Dec 2016 14:18:46 -0500 Subject: [PATCH 098/292] Improve WP-CLI download/install process Removes the need to `force` meaning we can skip downloading every time regardless if it's already installed. --- roles/wp-cli/tasks/main.yml | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/roles/wp-cli/tasks/main.yml b/roles/wp-cli/tasks/main.yml index 5827479283..9c7908bd83 100644 --- a/roles/wp-cli/tasks/main.yml +++ b/roles/wp-cli/tasks/main.yml @@ -1,10 +1,15 @@ --- -- name: Install WP-CLI +- name: Download WP-CLI get_url: url: "{{ wp_cli_phar_url }}" - dest: "{{ wp_cli_bin_path }}" - force: true - mode: 0755 + dest: /tmp/wp-cli-{{ wp_cli_version }}.phar + +- name: Install WP-CLI + command: rsync -c --chmod=0755 --info=name /tmp/wp-cli-{{ wp_cli_version }}.phar {{ wp_cli_bin_path }} + args: + warn: false + register: wp_cli + changed_when: wp_cli.stdout == "wp-cli{{ wp_cli_version }}.phar" - name: Retrieve WP-CLI tab completions command: curl -4Ls {{ wp_cli_completion_url }} -o /tmp/wp-completion-{{ wp_cli_version }}.bash From bbfe938fbaf1c377bfc672a23a0d2df99e50bf6f Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sun, 11 Dec 2016 14:42:24 -0500 Subject: [PATCH 099/292] Bump CHANGELOG for #695 --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index e7bef50714..5ee664ed62 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Update PHP to 7.1 ([#695](https://github.com/roots/trellis/pull/695)) * Update WP-CLI to 1.0.0 ([#708](https://github.com/roots/trellis/pull/708)) * Ansible-Local for Vagrant boxes on Windows ([#690](https://github.com/roots/trellis/pull/690)) * Install MariaDB via Ubuntu's official distro packages ([#693](https://github.com/roots/trellis/pull/693)) From d61382374a1833d5c91289bcf003202bcc40add6 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Mon, 12 Dec 2016 21:43:59 -0700 Subject: [PATCH 100/292] Make Diffie-Hellman creation conditional on ssl enabled --- roles/nginx/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 916b56539b..312a4741b6 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -21,6 +21,7 @@ args: chdir: "{{ nginx_path }}/ssl" creates: "{{ nginx_path }}/ssl/dhparams.pem" + when: true in [{% for key, site in wordpress_sites.iteritems() %}{{ site.ssl.enabled }},{% endfor %}] notify: reload nginx tags: [diffie-hellman] From 89d2d187acbc99c8232f2f31b1ddfbeb66dcb4e8 Mon Sep 17 00:00:00 2001 From: RiFi2k Date: Tue, 13 Dec 2016 15:14:36 -0500 Subject: [PATCH 101/292] Remove creation of unused socket directory The php7.1-fpm socket is created at /var/run so no need for this directory to be created --- roles/php/tasks/main.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml index eb42df235a..f3682fabbb 100644 --- a/roles/php/tasks/main.yml +++ b/roles/php/tasks/main.yml @@ -30,11 +30,6 @@ state: started enabled: true -- name: Create socket directory - file: - path: /var/run/php7.1-fpm/ - state: directory - - name: PHP configuration file template: src: php.ini.j2 From 3c8bbe584718f2ad2635255f48af7f8afdf8aed2 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 13 Dec 2016 20:50:03 -0500 Subject: [PATCH 102/292] Bump CHANGELOG for #709 --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5ee664ed62..f66f74a892 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Diffie-Hellman params now conditional on SSL status ([#709](https://github.com/roots/trellis/pull/709)) * Update PHP to 7.1 ([#695](https://github.com/roots/trellis/pull/695)) * Update WP-CLI to 1.0.0 ([#708](https://github.com/roots/trellis/pull/708)) * Ansible-Local for Vagrant boxes on Windows ([#690](https://github.com/roots/trellis/pull/690)) From 7cdfbde363b8f8b1947fbd4ea28ba31af2067f6d Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Wed, 14 Dec 2016 16:46:10 -0700 Subject: [PATCH 103/292] Create project_shared_children files if they do not exist (#706) Also ensure parent directories for project shared paths are present --- CHANGELOG.md | 1 + roles/deploy/defaults/main.yml | 10 +++++----- roles/deploy/tasks/share.yml | 27 +++++++++++++++++++++++++-- 3 files changed, 31 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f66f74a892..4ff38a388a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Create `project_shared_children` files if they do not exist ([#706](https://github.com/roots/trellis/pull/706)) * Diffie-Hellman params now conditional on SSL status ([#709](https://github.com/roots/trellis/pull/709)) * Update PHP to 7.1 ([#695](https://github.com/roots/trellis/pull/695)) * Update WP-CLI to 1.0.0 ([#708](https://github.com/roots/trellis/pull/708)) diff --git a/roles/deploy/defaults/main.yml b/roles/deploy/defaults/main.yml index a592b98c11..0e230fb7b2 100644 --- a/roles/deploy/defaults/main.yml +++ b/roles/deploy/defaults/main.yml @@ -21,15 +21,15 @@ project_templates: src: roles/deploy/templates/env.j2 dest: .env -# The shared_children is a list of all files/folders in your project that need to be linked to a path in "/shared". +# The shared_children is a list of all files/folders in your project that need to be linked to a path in `/shared`. # For example a sessions directory or an uploads folder. They are created if they don't exist, with the type # specified in the `type` key (file or directory). # Example: # project_shared_children: -# - path: "app/sessions" -# src: "sessions" -# mode: "0755" -# type: "file" / "directory" // <- optional, defaults to "directory" +# - path: app/sessions +# src: sessions +# mode: '0755' // <- optional, must be quoted, defaults to `'0755'` if `directory` or `'0644'` if `file` +# type: directory // <- optional, defaults to `directory`, options: `directory` or `file` project_shared_children: - path: web/app/uploads src: uploads diff --git a/roles/deploy/tasks/share.yml b/roles/deploy/tasks/share.yml index aa855834eb..62ded1a0f3 100644 --- a/roles/deploy/tasks/share.yml +++ b/roles/deploy/tasks/share.yml @@ -2,12 +2,35 @@ - include: "{{ deploy_share_before | default('../hooks/example.yml') }}" tags: deploy-share-before -- name: Ensure shared sources are present +- name: Ensure shared sources are present -- directories file: path: "{{ deploy_helper.shared_path }}/{{ item.src }}" - state: "{{ item.type | default('directory') }}" + state: directory mode: "{{ item.mode | default('0755') }}" with_items: "{{ project_shared_children }}" + when: item.type | default('directory') | lower == 'directory' + +- name: Ensure shared sources are present -- files' parent directories + file: + path: "{{ deploy_helper.shared_path }}/{{ item.src | dirname }}" + state: directory + mode: '0755' + with_items: "{{ project_shared_children }}" + when: item.type | default('directory') | lower == 'file' + +- name: Ensure shared sources are present -- files + file: + path: "{{ deploy_helper.shared_path }}/{{ item.src }}" + state: touch + mode: "{{ item.mode | default('0644') }}" + with_items: "{{ project_shared_children }}" + when: item.type | default('directory') | lower == 'file' + +- name: Ensure parent directories for shared paths are present + file: + path: "{{ deploy_helper.new_release_path }}/{{ item.path | dirname }}" + state: directory + with_items: "{{ project_shared_children }}" - name: Ensure shared paths are absent file: From f66f195bce15e6d5f6898608ec35c9d0cf9c8825 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 14 Dec 2016 19:36:16 -0500 Subject: [PATCH 104/292] 0.9.9 --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4ff38a388a..f2bf2e60cc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,4 @@ -### HEAD +### 0.9.9: December 14th, 2016 * Create `project_shared_children` files if they do not exist ([#706](https://github.com/roots/trellis/pull/706)) * Diffie-Hellman params now conditional on SSL status ([#709](https://github.com/roots/trellis/pull/709)) * Update PHP to 7.1 ([#695](https://github.com/roots/trellis/pull/695)) From fa6c8d0be654098d1b7646d68294984bd4720553 Mon Sep 17 00:00:00 2001 From: Ned Zimmerman Date: Sat, 17 Dec 2016 15:03:05 -0400 Subject: [PATCH 105/292] Update PHP version in README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 03db0da588..5c2387ebce 100644 --- a/README.md +++ b/README.md @@ -14,7 +14,7 @@ Trellis will configure a server with the following and more: * Ubuntu 16.04 Xenial LTS * Nginx (with optional FastCGI micro-caching) -* PHP 7.0 +* PHP 7.1 * MariaDB (a drop-in MySQL replacement) * SSL support (scores an A+ on the [Qualys SSL Labs Test](https://www.ssllabs.com/ssltest/)) * Let's Encrypt integration for free SSL certificates From dbd53f63c3d57f3b2f427c9bd1d36aa9043461c5 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Thu, 22 Dec 2016 19:31:49 -0700 Subject: [PATCH 106/292] Ensure all groups from users.yml are present on server --- roles/users/tasks/main.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml index eda1098472..a96e711cc8 100644 --- a/roles/users/tasks/main.yml +++ b/roles/users/tasks/main.yml @@ -1,8 +1,9 @@ --- -- name: Ensure sudo group is present +- name: Ensure requested groups are present group: - name: sudo + name: "{{ item }}" state: present + with_items: "{{ users | sum(attribute='groups', start=[]) | list | unique }}" - name: Ensure sudo group has sudo privileges lineinfile: From 184ddc4869bdddd624b32c4ae2ce2b29654a653f Mon Sep 17 00:00:00 2001 From: Dave Kiss Date: Mon, 26 Dec 2016 14:51:03 -0500 Subject: [PATCH 107/292] Update build routine suggestions for Sage 9 (#715) Update build-before example for Sage 9 These changes ensure that Sage 9's build routine is run successfully on deployment --- deploy-hooks/build-before.yml | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/deploy-hooks/build-before.yml b/deploy-hooks/build-before.yml index c83ef55b8a..f06250b275 100644 --- a/deploy-hooks/build-before.yml +++ b/deploy-hooks/build-before.yml @@ -4,20 +4,19 @@ # Uncomment the lines below and replace `sage` with your theme folder # # --- -# - name: Run npm install -# command: npm install +# - name: Run yarn install +# command: yarn install # connection: local # args: # chdir: "{{ project.local_path }}/web/app/themes/sage" # -# - name: Run bower install -# command: bower install -# connection: local +# - name: Install Composer dependencies +# command: composer install --no-ansi --no-dev --no-interaction --no-progress --optimize-autoloader --no-scripts # args: -# chdir: "{{ project.local_path }}/web/app/themes/sage" +# chdir: "{{ deploy_helper.new_release_path }}/web/app/themes/sage" # -# - name: Run gulp -# command: gulp --production +# - name: Compile assets for production +# command: yarn run build:production # connection: local # args: # chdir: "{{ project.local_path }}/web/app/themes/sage" From 041d8bdfe9f98a4762146961cbf451699bf06427 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Wed, 28 Dec 2016 12:46:29 -0700 Subject: [PATCH 108/292] Create /home/vagrant/trellis bindfs mount with proper permissions (#705) Otherwise Ansible can fail due to files synced to VM as executable (Windows host machines) --- CHANGELOG.md | 3 +++ Vagrantfile | 16 ++++++++++++---- ansible.cfg | 1 + 3 files changed, 16 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f2bf2e60cc..3baf6b45f7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +### HEAD +* Create `/home/vagrant/trellis` bindfs mount with proper permissions ([#705](https://github.com/roots/trellis/pull/705)) + ### 0.9.9: December 14th, 2016 * Create `project_shared_children` files if they do not exist ([#706](https://github.com/roots/trellis/pull/706)) * Diffie-Hellman params now conditional on SSL status ([#709](https://github.com/roots/trellis/pull/709)) diff --git a/Vagrantfile b/Vagrantfile index 10aab7710d..6b665d6a3c 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -7,7 +7,8 @@ ip = '192.168.50.5' # pick any local IP cpus = 1 memory = 1024 # in MB -ANSIBLE_PATH = __dir__ # absolute path to Ansible directory +ANSIBLE_PATH = __dir__ # absolute path to Ansible directory on host machine +ANSIBLE_PATH_ON_VM = '/home/vagrant/trellis' # absolute path to Ansible directory on virtual machine # Set Ansible paths relative to Ansible directory ENV['ANSIBLE_CONFIG'] = ANSIBLE_PATH @@ -66,11 +67,14 @@ Vagrant.configure('2') do |config| fail_with_message "vagrant-hostmanager missing, please install the plugin with this command:\nvagrant plugin install vagrant-hostmanager" end + bin_path = File.join(ANSIBLE_PATH_ON_VM, 'bin') + if Vagrant::Util::Platform.windows? and !Vagrant.has_plugin? 'vagrant-winnfsd' wordpress_sites.each_pair do |name, site| config.vm.synced_folder local_site_path(site), remote_site_path(name, site), owner: 'vagrant', group: 'www-data', mount_options: ['dmode=776', 'fmode=775'] end - config.vm.synced_folder File.join(ANSIBLE_PATH, 'hosts'), File.join(ANSIBLE_PATH.sub(__dir__, '/vagrant'), 'hosts'), mount_options: ['dmode=755', 'fmode=644'] + config.vm.synced_folder ANSIBLE_PATH, ANSIBLE_PATH_ON_VM, mount_options: ['dmode=755', 'fmode=644'] + config.vm.synced_folder File.join(ANSIBLE_PATH, 'bin'), bin_path, mount_options: ['dmode=755', 'fmode=755'] else if !Vagrant.has_plugin? 'vagrant-bindfs' fail_with_message "vagrant-bindfs missing, please install the plugin with this command:\nvagrant plugin install vagrant-bindfs" @@ -79,11 +83,14 @@ Vagrant.configure('2') do |config| config.vm.synced_folder local_site_path(site), nfs_path(name), type: 'nfs' config.bindfs.bind_folder nfs_path(name), remote_site_path(name, site), u: 'vagrant', g: 'www-data', o: 'nonempty' end + config.vm.synced_folder ANSIBLE_PATH, '/ansible-nfs', type: 'nfs' + config.bindfs.bind_folder '/ansible-nfs', ANSIBLE_PATH_ON_VM, o: 'nonempty', p: '0644,a+D' + config.bindfs.bind_folder bin_path, bin_path, perms: '0755' end end provisioner = Vagrant::Util::Platform.windows? ? :ansible_local : :ansible - provisioning_path = Vagrant::Util::Platform.windows? ? ANSIBLE_PATH.sub(__dir__, '/vagrant') : ANSIBLE_PATH + provisioning_path = Vagrant::Util::Platform.windows? ? ANSIBLE_PATH_ON_VM : ANSIBLE_PATH config.vm.provision provisioner do |ansible| if Vagrant::Util::Platform.windows? ansible.install_mode = 'pip' @@ -152,7 +159,8 @@ def post_up_message msg = 'Your Trellis Vagrant box is ready to use!' msg << "\n* Composer and WP-CLI commands need to be run on the virtual machine." msg << "\n* You can SSH into the machine with `vagrant ssh`." - msg << "\n* Then navigate to your WordPress sites at `/srv/www`." + msg << "\n* Then navigate to your WordPress sites at `/srv/www`" + msg << "\n or to your Trellis files at `#{ANSIBLE_PATH_ON_VM}`." msg end diff --git a/ansible.cfg b/ansible.cfg index 3f83209b27..f4394078d3 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -10,3 +10,4 @@ roles_path = vendor/roles [ssh_connection] ssh_args = -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s +pipelining = True From 2c5e07dc08253814b22289b43724806e1afcfb57 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 28 Dec 2016 16:18:40 -0500 Subject: [PATCH 109/292] Update finalize after hooks with better paths `new_release_path` was being used but at this point the symlink has already been created and the deploy finalized so we should use `current_path`. This also moves the themes path update task after DB updates. --- roles/deploy/hooks/finalize-after.yml | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/roles/deploy/hooks/finalize-after.yml b/roles/deploy/hooks/finalize-after.yml index 60ba3a9696..e4d46af8ea 100644 --- a/roles/deploy/hooks/finalize-after.yml +++ b/roles/deploy/hooks/finalize-after.yml @@ -2,21 +2,15 @@ - name: WordPress Installed? command: wp core is-installed {{ project.multisite.enabled | default(false) | ternary('--network', '') }} args: - chdir: "{{ deploy_helper.new_release_path }}" + chdir: "{{ deploy_helper.current_path }}" register: wp_installed changed_when: false failed_when: wp_installed.stderr != "" -- name: Update WP theme paths - command: wp eval 'wp_clean_themes_cache(); switch_theme(get_stylesheet());' - args: - chdir: "{{ deploy_helper.new_release_path }}" - when: wp_installed | success - - name: Update WP database command: wp core update-db args: - chdir: "{{ deploy_helper.new_release_path }}" + chdir: "{{ deploy_helper.current_path }}" when: wp_installed | success and not project.multisite.enabled | default(false) - name: Warn about updating network database. @@ -27,11 +21,16 @@ - name: Update WP network database command: wp core update-db --network args: - chdir: "{{ deploy_helper.new_release_path }}" + chdir: "{{ deploy_helper.current_path }}" when: wp_installed | success and project.multisite.enabled | default(false) +- name: Update WP theme paths + command: wp eval 'wp_clean_themes_cache(); switch_theme(get_stylesheet());' + args: + chdir: "{{ deploy_helper.current_path }}" + when: wp_installed | success + - name: Reload php-fpm shell: sudo service php7.1-fpm reload args: - chdir: "{{ deploy_helper.new_release_path }}" warn: false From 632bbe84497584cf25ea3556b987a6cb63aec31b Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Thu, 29 Dec 2016 00:16:37 -0500 Subject: [PATCH 110/292] Fix #718 - change method of updating theme paths After a deploy we were running `switch_theme` would had the side effect of sometimes making sidebar widgets inactive. This uses a simpler, more direct method of updating `stylesheet_root` and `template_root` which should be less error-prone since it does less. --- CHANGELOG.md | 1 + roles/deploy/hooks/finalize-after.yml | 16 ++++++++++++++-- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3baf6b45f7..3a8908b3a7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Fix #718 - improve method of updating theme paths ([#720](https://github.com/roots/trellis/pull/720)) * Create `/home/vagrant/trellis` bindfs mount with proper permissions ([#705](https://github.com/roots/trellis/pull/705)) ### 0.9.9: December 14th, 2016 diff --git a/roles/deploy/hooks/finalize-after.yml b/roles/deploy/hooks/finalize-after.yml index e4d46af8ea..1914b98a7b 100644 --- a/roles/deploy/hooks/finalize-after.yml +++ b/roles/deploy/hooks/finalize-after.yml @@ -24,12 +24,24 @@ chdir: "{{ deploy_helper.current_path }}" when: wp_installed | success and project.multisite.enabled | default(false) -- name: Update WP theme paths - command: wp eval 'wp_clean_themes_cache(); switch_theme(get_stylesheet());' +- name: Get WP theme template root + command: wp option get template_root args: chdir: "{{ deploy_helper.current_path }}" + register: wp_template_root + changed_when: false + failed_when: wp_template_root.stderr != "" when: wp_installed | success +- name: Update WP theme paths + command: wp option set {{ item }} {{ deploy_helper.new_release_path }}/web/wp/wp-content/themes + args: + chdir: "{{ deploy_helper.current_path }}" + when: wp_installed | success and wp_template_root != '/themes' and wp_template_root != '' + with_items: + - stylesheet_root + - template_root + - name: Reload php-fpm shell: sudo service php7.1-fpm reload args: From b1e0882a21c08918eca2d842d6bf4d47e3cc0ee1 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Wed, 27 Jul 2016 13:16:06 -0700 Subject: [PATCH 111/292] Create ssl_enabled helper var --- group_vars/all/helpers.yml | 5 ++-- roles/letsencrypt/defaults/main.yml | 2 +- roles/wordpress-setup/tasks/nginx.yml | 4 +-- .../tasks/self-signed-certificate.yml | 2 +- .../templates/wordpress-site.conf.j2 | 26 +++++-------------- 5 files changed, 14 insertions(+), 25 deletions(-) diff --git a/group_vars/all/helpers.yml b/group_vars/all/helpers.yml index 22650ad78c..243c14b21f 100644 --- a/group_vars/all/helpers.yml +++ b/group_vars/all/helpers.yml @@ -4,10 +4,11 @@ wordpress_env_defaults: db_user: "{{ item.key | underscore }}" disable_wp_cron: true wp_env: "{{ env }}" - wp_home: "{{ item.value.ssl.enabled | default(false) | ternary('https', 'http') }}://{{ site_hosts_canonical | first }}" - wp_siteurl: "{{ item.value.ssl.enabled | default(false) | ternary('https', 'http') }}://{{ site_hosts_canonical | first }}/wp" + wp_home: "{{ ssl_enabled | ternary('https', 'http') }}://{{ site_hosts_canonical | first }}" + wp_siteurl: "{{ ssl_enabled | ternary('https', 'http') }}://{{ site_hosts_canonical | first }}/wp" site_env: "{{ wordpress_env_defaults | combine(item.value.env | default({}), vault_wordpress_sites[item.key].env) }}" site_hosts_canonical: "{{ item.value.site_hosts | map(attribute='canonical') | list }}" site_hosts_redirects: "{{ item.value.site_hosts | selectattr('redirects', 'defined') | sum(attribute='redirects', start=[]) | list }}" site_hosts: "{{ site_hosts_canonical | union(site_hosts_redirects) }}" +ssl_enabled: "{{ item.value.ssl is defined and item.value.ssl.enabled | default(false) }}" diff --git a/roles/letsencrypt/defaults/main.yml b/roles/letsencrypt/defaults/main.yml index e97eb7ca01..6735ea78be 100644 --- a/roles/letsencrypt/defaults/main.yml +++ b/roles/letsencrypt/defaults/main.yml @@ -1,6 +1,6 @@ sites_using_letsencrypt: "[{% for name, site in wordpress_sites.iteritems() if site.ssl.enabled and site.ssl.provider | default('manual') == 'letsencrypt' %}'{{ name }}',{% endfor %}]" letsencrypt_enabled: "{{ sites_using_letsencrypt | count > 0 }}" -site_uses_letsencrypt: "{{ item.value.ssl is defined and item.value.ssl.enabled | default(false) and item.value.ssl.provider | default('manual') == 'letsencrypt' }}" +site_uses_letsencrypt: "{{ ssl_enabled and item.value.ssl.provider | default('manual') == 'letsencrypt' }}" sites_need_confs: "False in [{% for item in nginx_confs.results if 'stat' in item %}{{ item.stat.exists }},{% endfor %}]" acme_tiny_repo: 'https://github.com/diafygi/acme-tiny.git' diff --git a/roles/wordpress-setup/tasks/nginx.yml b/roles/wordpress-setup/tasks/nginx.yml index 64f9003b66..a8494526c8 100644 --- a/roles/wordpress-setup/tasks/nginx.yml +++ b/roles/wordpress-setup/tasks/nginx.yml @@ -5,7 +5,7 @@ dest: "{{ nginx_ssl_path }}/{{ item.value.ssl.cert | basename }}" mode: 0640 with_dict: "{{ wordpress_sites }}" - when: item.value.ssl.enabled and item.value.ssl.cert is defined + when: ssl_enabled and item.value.ssl.cert is defined - name: Copy SSL key copy: @@ -13,7 +13,7 @@ dest: "{{ nginx_ssl_path }}/{{ item.value.ssl.key | basename }}" mode: 0600 with_dict: "{{ wordpress_sites }}" - when: item.value.ssl.enabled and item.value.ssl.key is defined + when: ssl_enabled and item.value.ssl.key is defined - name: Create Nginx conf for challenges location template: diff --git a/roles/wordpress-setup/tasks/self-signed-certificate.yml b/roles/wordpress-setup/tasks/self-signed-certificate.yml index 4f1aacd3f6..14543b90ea 100644 --- a/roles/wordpress-setup/tasks/self-signed-certificate.yml +++ b/roles/wordpress-setup/tasks/self-signed-certificate.yml @@ -8,6 +8,6 @@ chdir: "{{ nginx_path }}/ssl" creates: "{{ item.key }}.*" with_dict: "{{ wordpress_sites }}" - when: item.value.ssl.enabled and item.value.ssl.provider | default('manual') == 'self-signed' + when: ssl_enabled and item.value.ssl.provider | default('manual') == 'self-signed' notify: - reload nginx diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index 6a263ee634..1c69f4bb13 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -1,11 +1,7 @@ # {{ ansible_managed }} server { - {% if item.value.ssl is defined and item.value.ssl.enabled | default(false) -%} - listen 443 ssl http2; - {% else -%} - listen 80; - {% endif %} + listen {{ ssl_enabled | ternary('443 ssl http2', '80') }}; server_name {% for host in site_hosts_canonical %}{{ host }} {% if item.value.multisite.subdomains | default(false) %}*.{{ host }} {% endif %}{% endfor %}; access_log {{ www_root }}/{{ item.key }}/logs/access.log main; @@ -32,13 +28,9 @@ server { add_header Fastcgi-Cache $upstream_cache_status; - {% if item.value.ssl is defined and item.value.ssl.enabled | default(false) -%} - {{ lookup('template', 'https.conf.j2') }} - {% endif %} + {% if ssl_enabled %}{{ lookup('template', 'https.conf.j2') }}{% endif %} - {% if item.value.ssl is not defined or not item.value.ssl.enabled | default(false) -%} - include acme-challenge-location.conf; - {% endif %} + {% if not ssl_enabled %}include acme-challenge-location.conf;{% endif %} {% if item.value.cache is defined and item.value.cache.enabled | default(false) -%} set $skip_cache 0; @@ -78,7 +70,7 @@ server { } } -{% if item.value.ssl is defined and item.value.ssl.enabled | default(false) %} +{% if ssl_enabled %} server { listen 80; @@ -98,17 +90,13 @@ server { {% for host in item.value.site_hosts if host.redirects | default([]) %} server { - {% if item.value.ssl is defined and item.value.ssl.enabled | default(false) -%} - listen 443 ssl http2; + listen {{ ssl_enabled | ternary('443 ssl http2', '80') }}; - {{ lookup('template', 'https.conf.j2') }} - {% else -%} - listen 80; - {% endif -%} + {% if ssl_enabled %}{{ lookup('template', 'https.conf.j2') }}{% endif %} server_name {{ host.redirects | join(' ') }}; - {% if item.value.ssl is not defined or not item.value.ssl.enabled | default(false) -%} + {% if not ssl_enabled -%} include acme-challenge-location.conf; location / { From a8a1ab65d52922df8e1ce54b66dd6972fa700ccf Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Thu, 4 Aug 2016 17:08:16 -0600 Subject: [PATCH 112/292] Make handler out of task disabling acme challenge sites --- roles/common/handlers/main.yml | 7 +++++++ roles/letsencrypt/tasks/certificates.yml | 9 +-------- roles/letsencrypt/tasks/main.yml | 1 + roles/letsencrypt/tasks/nginx.yml | 2 ++ roles/letsencrypt/tasks/setup.yml | 1 + roles/wordpress-setup/tasks/self-signed-certificate.yml | 3 +-- 6 files changed, 13 insertions(+), 10 deletions(-) diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index 801e23c8b8..ac43c75939 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -1,4 +1,11 @@ --- +- name: disable temporary challenge sites + file: + path: "{{ nginx_path }}/sites-enabled/letsencrypt-{{ item.key }}.conf" + state: absent + with_dict: "{{ wordpress_sites }}" + notify: reload nginx + - name: restart memcached service: name: memcached diff --git a/roles/letsencrypt/tasks/certificates.yml b/roles/letsencrypt/tasks/certificates.yml index d3e4405061..386e1be66a 100644 --- a/roles/letsencrypt/tasks/certificates.yml +++ b/roles/letsencrypt/tasks/certificates.yml @@ -1,3 +1,4 @@ +--- - name: Generate private keys shell: openssl genrsa 4096 > {{ letsencrypt_keys_dir }}/{{ item.key }}.key args: @@ -30,11 +31,3 @@ register: generate_initial_cert changed_when: generate_initial_cert.stdout is defined and 'Created' in generate_initial_cert.stdout notify: reload nginx - -- name: Disable Nginx site - file: - path: "{{ nginx_path }}/sites-enabled/letsencrypt-{{ item.key }}.conf" - state: absent - with_dict: "{{ wordpress_sites }}" - when: sites_need_confs - notify: reload nginx diff --git a/roles/letsencrypt/tasks/main.yml b/roles/letsencrypt/tasks/main.yml index 7bd9a6ee2a..6c8b46cdd8 100644 --- a/roles/letsencrypt/tasks/main.yml +++ b/roles/letsencrypt/tasks/main.yml @@ -1,3 +1,4 @@ +--- - include: setup.yml - include: nginx.yml - include: certificates.yml diff --git a/roles/letsencrypt/tasks/nginx.yml b/roles/letsencrypt/tasks/nginx.yml index 9a637ec5c0..dc303d02f9 100644 --- a/roles/letsencrypt/tasks/nginx.yml +++ b/roles/letsencrypt/tasks/nginx.yml @@ -1,3 +1,4 @@ +--- - name: Check for existing Nginx conf per site stat: path: "{{ nginx_path }}/sites-enabled/{{ item.key }}.conf" @@ -25,6 +26,7 @@ state: link when: not item | skipped and not item.stat.exists with_items: "{{ nginx_confs.results }}" + notify: disable temporary challenge sites - include: "{{ playbook_dir }}/roles/common/tasks/reload_nginx.yml" when: sites_need_confs diff --git a/roles/letsencrypt/tasks/setup.yml b/roles/letsencrypt/tasks/setup.yml index 49b0886bbd..f864dcc9e6 100644 --- a/roles/letsencrypt/tasks/setup.yml +++ b/roles/letsencrypt/tasks/setup.yml @@ -1,3 +1,4 @@ +--- - name: Create directories and set permissions file: mode: "{{ item.mode | default(omit) }}" diff --git a/roles/wordpress-setup/tasks/self-signed-certificate.yml b/roles/wordpress-setup/tasks/self-signed-certificate.yml index 14543b90ea..5e9cda2d6a 100644 --- a/roles/wordpress-setup/tasks/self-signed-certificate.yml +++ b/roles/wordpress-setup/tasks/self-signed-certificate.yml @@ -9,5 +9,4 @@ creates: "{{ item.key }}.*" with_dict: "{{ wordpress_sites }}" when: ssl_enabled and item.value.ssl.provider | default('manual') == 'self-signed' - notify: - - reload nginx + notify: reload nginx From bf8d51ee56752e68020ccafaea067aa2d9d555b4 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Thu, 29 Dec 2016 23:35:53 -0500 Subject: [PATCH 113/292] letsencrypt: suppress extra output in certificates Adds `--quiet` option for acme-tiny to get rid of unwanted logging output from appearing in certificates. Example: ``` Parsing account key... Parsing CSR... Registering account... Registered! Verifying example.com... example.com verified! Signing certificate... Certificate signed! ``` --- CHANGELOG.md | 1 + roles/letsencrypt/templates/renew-certs.py | 1 + 2 files changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3a8908b3a7..f3fd23aae4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Suppress extra output in SSL certificates ([#723](https://github.com/roots/trellis/pull/723)) * Fix #718 - improve method of updating theme paths ([#720](https://github.com/roots/trellis/pull/720)) * Create `/home/vagrant/trellis` bindfs mount with proper permissions ([#705](https://github.com/roots/trellis/pull/705)) diff --git a/roles/letsencrypt/templates/renew-certs.py b/roles/letsencrypt/templates/renew-certs.py index 06a01b61fb..606194e33e 100644 --- a/roles/letsencrypt/templates/renew-certs.py +++ b/roles/letsencrypt/templates/renew-certs.py @@ -26,6 +26,7 @@ print 'Generating certificate for ' + site cmd = ('/usr/bin/env python {{ acme_tiny_software_directory }}/acme_tiny.py ' + '--quiet ' '--ca {{ letsencrypt_ca }} ' '--account-key {{ letsencrypt_account_key }} ' '--csr {{ acme_tiny_data_directory }}/csrs/{0}.csr ' From 6f004d912a60c69963d7571539cae45a1f87427f Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 30 Dec 2016 12:37:04 -0500 Subject: [PATCH 114/292] Improve Vagrantfile landrush support Previously we documented these changes that people would need to manually make. This handles it automatically so landrush is supported out of the box if the user installs the plugin. --- CHANGELOG.md | 1 + Vagrantfile | 12 ++++++++++-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f3fd23aae4..762001c30d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* `Vagrantfile`: add automatic support for landrush ([#724](https://github.com/roots/trellis/pull/724)) * Suppress extra output in SSL certificates ([#723](https://github.com/roots/trellis/pull/723)) * Fix #718 - improve method of updating theme paths ([#720](https://github.com/roots/trellis/pull/720)) * Create `/home/vagrant/trellis` bindfs mount with proper permissions ([#705](https://github.com/roots/trellis/pull/705)) diff --git a/Vagrantfile b/Vagrantfile index 6b665d6a3c..6cc33194fc 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -59,12 +59,16 @@ Vagrant.configure('2') do |config| redirects = site_hosts.flat_map { |host| host['redirects'] }.compact - if Vagrant.has_plugin? 'vagrant-hostmanager' + if Vagrant.has_plugin?('vagrant-hostmanager') && !multisite_subdomains?(wordpress_sites) config.hostmanager.enabled = true config.hostmanager.manage_host = true config.hostmanager.aliases = hostnames + redirects + elsif Vagrant.has_plugin?('landrush') && multisite_subdomains?(wordpress_sites) + config.landrush.enabled = true + config.landrush.tld = config.vm.hostname + hostnames.each { |host| config.landrush.host host, ip } else - fail_with_message "vagrant-hostmanager missing, please install the plugin with this command:\nvagrant plugin install vagrant-hostmanager" + fail_with_message "vagrant-hostmanager missing, please install the plugin with this command:\nvagrant plugin install vagrant-hostmanager\n\nOr install landrush for multisite subdomains:\nvagrant plugin install landrush" end bin_path = File.join(ANSIBLE_PATH_ON_VM, 'bin') @@ -151,6 +155,10 @@ def local_site_path(site) File.expand_path(site['local_path'], ANSIBLE_PATH) end +def multisite_subdomains?(wordpress_sites) + wordpress_sites.any? { |(_name, site)| site['multisite'].fetch('enabled', false) && site['multisite'].fetch('subdomains', false) } +end + def nfs_path(site_name) "/vagrant-nfs-#{site_name}" end From a86a02c49b29d5b5a5d32eb8c6162960af1304d8 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 6 Jan 2017 19:35:04 -0500 Subject: [PATCH 115/292] Fix #727 - HSTS: default preload to off The HSTS `preload` option defaulted to true. This turns it off by default since the HSTS preload list should be opt-in as it also requires a submission to https://hstspreload.org. --- CHANGELOG.md | 1 + roles/nginx/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 762001c30d..0606157d68 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* [BREAKING] Fix #727 - HSTS: default preload to off ([#728](https://github.com/roots/trellis/pull/728)) * `Vagrantfile`: add automatic support for landrush ([#724](https://github.com/roots/trellis/pull/724)) * Suppress extra output in SSL certificates ([#723](https://github.com/roots/trellis/pull/723)) * Fix #718 - improve method of updating theme paths ([#720](https://github.com/roots/trellis/pull/720)) diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml index 0f63702625..a77ecfb80d 100644 --- a/roles/nginx/defaults/main.yml +++ b/roles/nginx/defaults/main.yml @@ -9,7 +9,7 @@ nginx_ssl_path: "{{ nginx_path }}/ssl" # HSTS defaults nginx_hsts_max_age: 31536000 nginx_hsts_include_subdomains: true -nginx_hsts_preload: true +nginx_hsts_preload: false # Fastcgi cache params nginx_cache_path: /var/cache/nginx From 6aa04fb7fa305f3ae70df87633972a8df99548b7 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sun, 1 Jan 2017 15:35:33 -0700 Subject: [PATCH 116/292] Use dynamic local_path to accommodate Ansible running on VM --- CHANGELOG.md | 1 + deploy-hooks/build-before.yml | 6 +++--- deploy.yml | 1 + 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0606157d68..a64757b5cc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Use dynamic `local_path` to accommodate Ansible running on VM ([#725](https://github.com/roots/trellis/pull/725)) * [BREAKING] Fix #727 - HSTS: default preload to off ([#728](https://github.com/roots/trellis/pull/728)) * `Vagrantfile`: add automatic support for landrush ([#724](https://github.com/roots/trellis/pull/724)) * Suppress extra output in SSL certificates ([#723](https://github.com/roots/trellis/pull/723)) diff --git a/deploy-hooks/build-before.yml b/deploy-hooks/build-before.yml index f06250b275..44cce03693 100644 --- a/deploy-hooks/build-before.yml +++ b/deploy-hooks/build-before.yml @@ -8,7 +8,7 @@ # command: yarn install # connection: local # args: -# chdir: "{{ project.local_path }}/web/app/themes/sage" +# chdir: "{{ project_local_path }}/web/app/themes/sage" # # - name: Install Composer dependencies # command: composer install --no-ansi --no-dev --no-interaction --no-progress --optimize-autoloader --no-scripts @@ -19,11 +19,11 @@ # command: yarn run build:production # connection: local # args: -# chdir: "{{ project.local_path }}/web/app/themes/sage" +# chdir: "{{ project_local_path }}/web/app/themes/sage" # # - name: Copy project local files # synchronize: -# src: "{{ project.local_path }}/web/app/themes/sage/dist" +# src: "{{ project_local_path }}/web/app/themes/sage/dist" # dest: "{{ deploy_helper.new_release_path }}/web/app/themes/sage" # group: no # owner: no diff --git a/deploy.yml b/deploy.yml index e8b3d4716f..39b2fc57f0 100644 --- a/deploy.yml +++ b/deploy.yml @@ -22,6 +22,7 @@ wp_home: "{{ project.ssl.enabled | default(false) | ternary('https', 'http') }}://{{ project.site_hosts | map(attribute='canonical') | first }}" wp_siteurl: "{{ project.ssl.enabled | default(false) | ternary('https', 'http') }}://{{ project.site_hosts | map(attribute='canonical') | first }}/wp" site_env: "{{ wordpress_env_defaults | combine(project.env | default({}), vault_wordpress_sites[site].env) }}" + project_local_path: "{{ (lookup('env', 'USER') == 'vagrant') | ternary(project_root + '/' + project_current_path, project.local_path) }}" pre_tasks: - name: Ensure site is valid From 78ff762dec800fa75f369beb141232d762a010ca Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Thu, 12 Jan 2017 21:57:17 -0500 Subject: [PATCH 117/292] Fix #731 - Use option stdout to fix theme paths `wp_template_root` was just the registered Ansible var. The values needed to be checked against the `stdout` which is the actual output of the `wp get option` command. --- roles/deploy/hooks/finalize-after.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/deploy/hooks/finalize-after.yml b/roles/deploy/hooks/finalize-after.yml index 1914b98a7b..dc1c52665d 100644 --- a/roles/deploy/hooks/finalize-after.yml +++ b/roles/deploy/hooks/finalize-after.yml @@ -37,7 +37,7 @@ command: wp option set {{ item }} {{ deploy_helper.new_release_path }}/web/wp/wp-content/themes args: chdir: "{{ deploy_helper.current_path }}" - when: wp_installed | success and wp_template_root != '/themes' and wp_template_root != '' + when: wp_installed | success and wp_template_root.stdout != '' and wp_template_root.stdout != '/themes' with_items: - stylesheet_root - template_root From 163dcc712fd454697d47bc224c7fcd2700b3c12f Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Thu, 12 Jan 2017 22:12:42 -0500 Subject: [PATCH 118/292] Use a block for wp_installed conditional --- roles/deploy/hooks/finalize-after.yml | 62 ++++++++++++++------------- 1 file changed, 32 insertions(+), 30 deletions(-) diff --git a/roles/deploy/hooks/finalize-after.yml b/roles/deploy/hooks/finalize-after.yml index dc1c52665d..946a190a93 100644 --- a/roles/deploy/hooks/finalize-after.yml +++ b/roles/deploy/hooks/finalize-after.yml @@ -7,40 +7,42 @@ changed_when: false failed_when: wp_installed.stderr != "" -- name: Update WP database - command: wp core update-db - args: - chdir: "{{ deploy_helper.current_path }}" - when: wp_installed | success and not project.multisite.enabled | default(false) +- block: + - name: Update WP database + command: wp core update-db + args: + chdir: "{{ deploy_helper.current_path }}" + when: project.multisite.enabled | default(false) -- name: Warn about updating network database. - debug: - msg: "Updating the network database could take a long time with a large number of sites." - when: wp_installed | success and project.multisite.enabled | default(false) + - name: Warn about updating network database. + debug: + msg: "Updating the network database could take a long time with a large number of sites." + when: project.multisite.enabled | default(false) -- name: Update WP network database - command: wp core update-db --network - args: - chdir: "{{ deploy_helper.current_path }}" - when: wp_installed | success and project.multisite.enabled | default(false) + - name: Update WP network database + command: wp core update-db --network + args: + chdir: "{{ deploy_helper.current_path }}" + when: project.multisite.enabled | default(false) -- name: Get WP theme template root - command: wp option get template_root - args: - chdir: "{{ deploy_helper.current_path }}" - register: wp_template_root - changed_when: false - failed_when: wp_template_root.stderr != "" - when: wp_installed | success + - name: Get WP theme template root + command: wp option get template_root + args: + chdir: "{{ deploy_helper.current_path }}" + register: wp_template_root + changed_when: false + failed_when: wp_template_root.stderr != "" -- name: Update WP theme paths - command: wp option set {{ item }} {{ deploy_helper.new_release_path }}/web/wp/wp-content/themes - args: - chdir: "{{ deploy_helper.current_path }}" - when: wp_installed | success and wp_template_root.stdout != '' and wp_template_root.stdout != '/themes' - with_items: - - stylesheet_root - - template_root + - name: Update WP theme paths + command: wp option set {{ item }} {{ deploy_helper.new_release_path }}/web/wp/wp-content/themes + args: + chdir: "{{ deploy_helper.current_path }}" + when: wp_template_root.stdout != '' and wp_template_root.stdout != '/themes' + with_items: + - stylesheet_root + - template_root + + when: wp_installed | success - name: Reload php-fpm shell: sudo service php7.1-fpm reload From 85a12d19aa2fb34754a7b58cce1318b30f7fafe9 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Fri, 13 Jan 2017 15:30:54 -0700 Subject: [PATCH 119/292] Avoid loop.first variable in conditional jinja loops (#729) Fixes 'variable referenced before assignment in enclosing scope' error that appeared with python 2.7.12 and its apparent change in handling the {% if loop.first %} jinja control structure. --- CHANGELOG.md | 1 + roles/remote-user/tasks/main.yml | 2 +- roles/users/tasks/main.yml | 6 +++--- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a64757b5cc..98dcc8818a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Avoid `loop.first` variable in conditional jinja loops ([#729](https://github.com/roots/trellis/pull/729)) * Use dynamic `local_path` to accommodate Ansible running on VM ([#725](https://github.com/roots/trellis/pull/725)) * [BREAKING] Fix #727 - HSTS: default preload to off ([#728](https://github.com/roots/trellis/pull/728)) * `Vagrantfile`: add automatic support for landrush ([#724](https://github.com/roots/trellis/pull/724)) diff --git a/roles/remote-user/tasks/main.yml b/roles/remote-user/tasks/main.yml index 94432a6c66..182273a884 100644 --- a/roles/remote-user/tasks/main.yml +++ b/roles/remote-user/tasks/main.yml @@ -24,6 +24,6 @@ - name: Load become password set_fact: - ansible_become_pass: "{% for user in vault_users | default([]) if user.name == ansible_user and user.password is defined %}{% if loop.first %}{{ user.password }}{% endif %}{% endfor %}" + ansible_become_pass: "{% for user in vault_users | default([]) if user.name == ansible_user %}{{ '{% raw %}' }}{{ user.password | default('') }}{{ '{% endraw %}' }}{% endfor %}" when: ansible_user != 'root' and not cli_ask_become_pass | default(false) and ansible_become_pass is not defined no_log: true diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml index a96e711cc8..8a126199f0 100644 --- a/roles/users/tasks/main.yml +++ b/roles/users/tasks/main.yml @@ -16,8 +16,8 @@ - name: Fail if root login will be disabled but admin_user will not be a sudoer assert: that: - - "{% for user in users if user.name == admin_user %}{% if loop.first %}{{ 'sudo' in user.groups }}{% endif %}{% else %}{{ false }}{% endfor %}" - - "{% for user in vault_users | default([]) if user.name == admin_user %}{% if loop.first %}{{ user.password is defined }}{% endif %}{% else %}{{ false }}{% endfor %}" + - "{% for user in users if user.name == admin_user %}{{ 'sudo' in user.groups }}{% else %}{{ false }}{% endfor %}" + - "{% for user in vault_users | default([]) if user.name == admin_user %}{{ user.password is defined }}{% else %}{{ false }}{% endfor %}" msg: | When `sshd_permit_root_login: false`, you must add `sudo` to the `groups` for admin_user (in `users` hash), and set a password for admin_user in `vault_users` (in `group_vars/{{ env }}/vault.yml`). Otherwise Ansible could lose the ability to run the necessary sudo commands. {% if sudoer_passwords is defined or vault_sudoer_passwords is defined %} @@ -33,7 +33,7 @@ name: "{{ item.name }}" group: "{{ item.groups[0] }}" groups: "{{ item.groups | join(',') }}" - password: '{% for user in vault_users | default([]) if user.name == item.name and user.password is defined %}{% if loop.first %}{{ user.password | password_hash("sha512", user.salt[:16] | default(None) | regex_replace("[^\.\/a-zA-Z0-9]", "x")) }}{% endif %}{% else %}{{ None }}{% endfor %}' + password: '{% for user in vault_users | default([]) if user.name == item.name and user.password is defined %}{{ user.password | password_hash("sha512", user.salt | default("") | truncate(16, true, "") | regex_replace("[^\.\/a-zA-Z0-9]", "x")) }}{% else %}{{ None }}{% endfor %}' state: present shell: /bin/bash update_password: always From 0908ba82495c2532b753d5def6e1c90cea004dcd Mon Sep 17 00:00:00 2001 From: Nathaniel Schweinberg Date: Mon, 16 Jan 2017 13:13:13 -0800 Subject: [PATCH 120/292] enable the ability to skip Galaxy requirements installation step --- Vagrantfile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Vagrantfile b/Vagrantfile index 6cc33194fc..6c9434c300 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -103,7 +103,9 @@ Vagrant.configure('2') do |config| end ansible.playbook = File.join(provisioning_path, 'dev.yml') - ansible.galaxy_role_file = File.join(provisioning_path, 'requirements.yml') + unless ENV['SKIP_GALAXY'] + ansible.galaxy_role_file = File.join(provisioning_path, 'requirements.yml') + end ansible.galaxy_roles_path = File.join(provisioning_path, 'vendor/roles') ansible.groups = { From d462028bdc2903159227d72e6f0b00daee585ced Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Mon, 16 Jan 2017 23:53:45 -0500 Subject: [PATCH 121/292] CHANGELOG for #734 --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 98dcc8818a..e54070deeb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Add `SKIP_GALAXY` env var to skip galaxy install in Vagrant ([#734](https://github.com/roots/trellis/pull/734)) * Avoid `loop.first` variable in conditional jinja loops ([#729](https://github.com/roots/trellis/pull/729)) * Use dynamic `local_path` to accommodate Ansible running on VM ([#725](https://github.com/roots/trellis/pull/725)) * [BREAKING] Fix #727 - HSTS: default preload to off ([#728](https://github.com/roots/trellis/pull/728)) From f6d7c5af57d02fb1c3914a0ff2135dc3c3000fbc Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 18 Jan 2017 19:38:13 -0500 Subject: [PATCH 122/292] Fix deploy hook update-db conditional --- roles/deploy/hooks/finalize-after.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/deploy/hooks/finalize-after.yml b/roles/deploy/hooks/finalize-after.yml index 946a190a93..c95b140ae5 100644 --- a/roles/deploy/hooks/finalize-after.yml +++ b/roles/deploy/hooks/finalize-after.yml @@ -12,7 +12,7 @@ command: wp core update-db args: chdir: "{{ deploy_helper.current_path }}" - when: project.multisite.enabled | default(false) + when: not project.multisite.enabled | default(false) - name: Warn about updating network database. debug: From a2fd53a8c245759b571d6b8334995835b6290f59 Mon Sep 17 00:00:00 2001 From: Jeremy Bicha Date: Sat, 21 Jan 2017 00:55:49 +0000 Subject: [PATCH 123/292] Update nginx wiki link --- roles/wordpress-setup/templates/wordpress-site.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index 1c69f4bb13..48a073aa60 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -13,7 +13,7 @@ server { charset utf-8; {% if env == 'development' -%} - # See Virtualbox section at http://wiki.nginx.org/Pitfalls + # https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#virtualbox sendfile off; {%- endif %} From c79157556b23c2f373dc0902c5bb4e00b2786b11 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Thu, 4 Aug 2016 17:28:09 -0600 Subject: [PATCH 124/292] Create acme challenge Nginx confs for new hosts --- roles/letsencrypt/defaults/main.yml | 4 +-- roles/letsencrypt/tasks/nginx.yml | 35 ++++++++++--------- .../templates/nginx-challenge-site.conf.j2 | 2 +- .../templates/wordpress-site.conf.j2 | 4 --- 4 files changed, 22 insertions(+), 23 deletions(-) diff --git a/roles/letsencrypt/defaults/main.yml b/roles/letsencrypt/defaults/main.yml index 6735ea78be..5e5d1bdadb 100644 --- a/roles/letsencrypt/defaults/main.yml +++ b/roles/letsencrypt/defaults/main.yml @@ -1,7 +1,7 @@ sites_using_letsencrypt: "[{% for name, site in wordpress_sites.iteritems() if site.ssl.enabled and site.ssl.provider | default('manual') == 'letsencrypt' %}'{{ name }}',{% endfor %}]" -letsencrypt_enabled: "{{ sites_using_letsencrypt | count > 0 }}" +letsencrypt_enabled: "{{ sites_using_letsencrypt | count }}" site_uses_letsencrypt: "{{ ssl_enabled and item.value.ssl.provider | default('manual') == 'letsencrypt' }}" -sites_need_confs: "False in [{% for item in nginx_confs.results if 'stat' in item %}{{ item.stat.exists }},{% endfor %}]" +missing_hosts: "{{ site_uses_letsencrypt | ternary(site_hosts, []) | difference((current_hosts.results | selectattr('item.key', 'equalto', item.key) | selectattr('stdout_lines', 'defined') | sum(attribute='stdout_lines', start=[]) | map('trim') | list | join(' ')).split(' ')) }}" acme_tiny_repo: 'https://github.com/diafygi/acme-tiny.git' acme_tiny_commit: '5a7b4e79bc9bd5b51739c0d8aaf644f62cc440e6' diff --git a/roles/letsencrypt/tasks/nginx.yml b/roles/letsencrypt/tasks/nginx.yml index dc303d02f9..508c259acf 100644 --- a/roles/letsencrypt/tasks/nginx.yml +++ b/roles/letsencrypt/tasks/nginx.yml @@ -1,35 +1,38 @@ --- -- name: Check for existing Nginx conf per site - stat: - path: "{{ nginx_path }}/sites-enabled/{{ item.key }}.conf" - register: nginx_confs - when: site_uses_letsencrypt - with_dict: "{{ wordpress_sites }}" - - name: Create Nginx conf for challenges location template: src: acme-challenge-location.conf.j2 dest: "{{ nginx_path }}/acme-challenge-location.conf" - when: sites_need_confs + +- name: Get list of hosts in current Nginx conf + shell: | + [ ! -f {{ nginx_path }}/sites-enabled/{{ item.key }}.conf ] || + sed -n -e "/listen 80/,/server_name/{s/server_name \(.*\);/\1/p}" {{ nginx_path }}/sites-enabled/{{ item.key }}.conf + register: current_hosts + changed_when: false + when: site_uses_letsencrypt + with_dict: "{{ wordpress_sites }}" - name: Create needed Nginx confs for challenges template: src: nginx-challenge-site.conf.j2 - dest: "{{ nginx_path }}/sites-available/letsencrypt-{{ item.item.key }}.conf" - when: not item | skipped and not item.stat.exists - with_items: "{{ nginx_confs.results }}" + dest: "{{ nginx_path }}/sites-available/letsencrypt-{{ item.key }}.conf" + register: challenge_site_confs + when: missing_hosts | count + with_dict: "{{ wordpress_sites }}" - name: Enable Nginx sites file: - src: "{{ nginx_path }}/sites-available/letsencrypt-{{ item.item.key }}.conf" - dest: "{{ nginx_path }}/sites-enabled/letsencrypt-{{ item.item.key }}.conf" + src: "{{ nginx_path }}/sites-available/letsencrypt-{{ item.key }}.conf" + dest: "{{ nginx_path }}/sites-enabled/letsencrypt-{{ item.key }}.conf" state: link - when: not item | skipped and not item.stat.exists - with_items: "{{ nginx_confs.results }}" + register: challenge_sites_enabled + when: missing_hosts | count + with_dict: "{{ wordpress_sites }}" notify: disable temporary challenge sites - include: "{{ playbook_dir }}/roles/common/tasks/reload_nginx.yml" - when: sites_need_confs + when: challenge_site_confs | changed or challenge_sites_enabled | changed - name: Create test Acme Challenge file shell: touch {{ acme_tiny_challenges_directory }}/ping.txt diff --git a/roles/letsencrypt/templates/nginx-challenge-site.conf.j2 b/roles/letsencrypt/templates/nginx-challenge-site.conf.j2 index 6070698b74..2741378f79 100644 --- a/roles/letsencrypt/templates/nginx-challenge-site.conf.j2 +++ b/roles/letsencrypt/templates/nginx-challenge-site.conf.j2 @@ -1,5 +1,5 @@ server { listen 80; - server_name{% for item in item.item.value.site_hosts %} {{ item.canonical }}{% for redirect in item.redirects | default([]) %} {{ redirect }}{% endfor %}{% endfor %}; + server_name {{ missing_hosts | join(' ') }}; include acme-challenge-location.conf; } diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index 48a073aa60..efb80f381f 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -76,15 +76,11 @@ server { server_name {{ site_hosts | join(' ') }}{% if item.value.multisite.subdomains | default(false) %} *.{{ site_hosts_canonical | join(' *.') }}{% endif %}; - {% if item.value.ssl.provider | default('manual') == 'letsencrypt' -%} include acme-challenge-location.conf; location / { return 301 https://$host$request_uri; } - {% else %} - return 301 https://$host$request_uri; - {% endif -%} } {% endif %} From 8ef5718b3489e26657dba155ca06aa1714bb46f9 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Thu, 29 Dec 2016 21:33:43 -0700 Subject: [PATCH 125/292] Use IDs in filenames to ensure CSRs and certs update when needed Each ID is a hash of the combination of the following: * var: site_hosts * var: letsencrypt_intermediate_cert_sha256sum * var: acme_tiny_commit * var: letsencrypt_ca * file: /etc/nginx/ssl/letsencrypt/{{ site }}.key * file: /var/lib/letsencrypt/account.key --- CHANGELOG.md | 1 + roles/letsencrypt/defaults/main.yml | 1 + roles/letsencrypt/tasks/certificates.yml | 30 ++++++++++++++----- roles/letsencrypt/tasks/setup.yml | 6 ---- roles/letsencrypt/templates/renew-certs.py | 14 ++++----- roles/wordpress-setup/templates/https.conf.j2 | 2 +- 6 files changed, 31 insertions(+), 23 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e54070deeb..7d226d1148 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Enable Let's Encrypt to detect updated `site_hosts` ([#630](https://github.com/roots/trellis/pull/630)) * Add `SKIP_GALAXY` env var to skip galaxy install in Vagrant ([#734](https://github.com/roots/trellis/pull/734)) * Avoid `loop.first` variable in conditional jinja loops ([#729](https://github.com/roots/trellis/pull/729)) * Use dynamic `local_path` to accommodate Ansible running on VM ([#725](https://github.com/roots/trellis/pull/725)) diff --git a/roles/letsencrypt/defaults/main.yml b/roles/letsencrypt/defaults/main.yml index 5e5d1bdadb..76d480fb7c 100644 --- a/roles/letsencrypt/defaults/main.yml +++ b/roles/letsencrypt/defaults/main.yml @@ -2,6 +2,7 @@ sites_using_letsencrypt: "[{% for name, site in wordpress_sites.iteritems() if s letsencrypt_enabled: "{{ sites_using_letsencrypt | count }}" site_uses_letsencrypt: "{{ ssl_enabled and item.value.ssl.provider | default('manual') == 'letsencrypt' }}" missing_hosts: "{{ site_uses_letsencrypt | ternary(site_hosts, []) | difference((current_hosts.results | selectattr('item.key', 'equalto', item.key) | selectattr('stdout_lines', 'defined') | sum(attribute='stdout_lines', start=[]) | map('trim') | list | join(' ')).split(' ')) }}" +letsencrypt_cert_ids: "{ {% for item in generate_cert_ids.results if not item | skipped %}'{{ item.item.key }}':'{{ item.stdout }}', {% endfor %} }" acme_tiny_repo: 'https://github.com/diafygi/acme-tiny.git' acme_tiny_commit: '5a7b4e79bc9bd5b51739c0d8aaf644f62cc440e6' diff --git a/roles/letsencrypt/tasks/certificates.yml b/roles/letsencrypt/tasks/certificates.yml index 386e1be66a..f0fe4080e8 100644 --- a/roles/letsencrypt/tasks/certificates.yml +++ b/roles/letsencrypt/tasks/certificates.yml @@ -5,7 +5,6 @@ creates: "{{ letsencrypt_keys_dir }}/{{ item.key }}.key" when: site_uses_letsencrypt with_dict: "{{ wordpress_sites }}" - tags: [letsencrypt_keys] - name: Ensure correct permissions on private keys file: @@ -13,21 +12,36 @@ mode: 0600 when: site_uses_letsencrypt with_dict: "{{ wordpress_sites }}" - tags: [letsencrypt_keys] + +- name: Generate Lets Encrypt certificate IDs + shell: | + echo "{{ [site_hosts | join(' '), letsencrypt_ca, acme_tiny_commit, letsencrypt_intermediate_cert_sha256sum] | join('\n') }}" | + cat {{ letsencrypt_account_key }} {{ letsencrypt_keys_dir }}/{{ item.key }}.key - | + md5sum | cut -c -7 + register: generate_cert_ids + changed_when: false + when: site_uses_letsencrypt + with_dict: "{{ wordpress_sites }}" + tags: [wordpress, wordpress-setup] - name: Generate CSRs - shell: "openssl req -new -sha256 -key '{{ letsencrypt_keys_dir }}/{{ item.key }}.key' -subj '/' -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:{{ site_hosts | join(',DNS:') }}')) > {{ acme_tiny_data_directory }}/csrs/{{ item.key }}.csr" + shell: "openssl req -new -sha256 -key '{{ letsencrypt_keys_dir }}/{{ item.key }}.key' -subj '/' -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:{{ site_hosts | join(',DNS:') }}')) > {{ acme_tiny_data_directory }}/csrs/{{ item.key }}-{{ letsencrypt_cert_ids[item.key] }}.csr" args: executable: /bin/bash - creates: "{{ acme_tiny_data_directory }}/csrs/{{ item.key }}.csr" + creates: "{{ acme_tiny_data_directory }}/csrs/{{ item.key }}-{{ letsencrypt_cert_ids[item.key] }}.csr" when: site_uses_letsencrypt with_dict: "{{ wordpress_sites }}" - tags: [letsencrypt_keys] -- name: Generate the initial certificate +- name: Generate certificate renewal script + template: + src: renew-certs.py + dest: "{{ acme_tiny_data_directory }}/renew-certs.py" + mode: 0700 + +- name: Generate the certificates command: ./renew-certs.py args: chdir: "{{ acme_tiny_data_directory }}" - register: generate_initial_cert - changed_when: generate_initial_cert.stdout is defined and 'Created' in generate_initial_cert.stdout + register: generate_certs + changed_when: generate_certs.stdout is defined and 'Created' in generate_certs.stdout notify: reload nginx diff --git a/roles/letsencrypt/tasks/setup.yml b/roles/letsencrypt/tasks/setup.yml index f864dcc9e6..69aa77a700 100644 --- a/roles/letsencrypt/tasks/setup.yml +++ b/roles/letsencrypt/tasks/setup.yml @@ -39,12 +39,6 @@ register: generate_account_key when: letsencrypt_account_key_source_content is not defined and letsencrypt_account_key_source_file is not defined -- name: Generate certificate renewal script - template: - src: renew-certs.py - dest: "{{ acme_tiny_data_directory }}/renew-certs.py" - mode: 0700 - - name: Download intermediate certificate get_url: url: "{{ letsencrypt_intermediate_cert_url }}" diff --git a/roles/letsencrypt/templates/renew-certs.py b/roles/letsencrypt/templates/renew-certs.py index 606194e33e..88cd133419 100644 --- a/roles/letsencrypt/templates/renew-certs.py +++ b/roles/letsencrypt/templates/renew-certs.py @@ -6,14 +6,12 @@ from subprocess import CalledProcessError, check_output, STDOUT -certs_dir = '{{ letsencrypt_certs_dir }}' failed = False -sites = {{ wordpress_sites }} -sites = (k for k, v in sites.items() if 'ssl' in v and v['ssl'].get('enabled', False) and v['ssl'].get('provider', 'manual') == 'letsencrypt') +letsencrypt_cert_ids = {{ letsencrypt_cert_ids }} -for site in sites: - cert_path = os.path.join(certs_dir, site + '.cert') - bundled_cert_path = os.path.join(certs_dir, site + '-bundled.cert') +for site in {{ sites_using_letsencrypt }}: + cert_path = os.path.join('{{ letsencrypt_certs_dir }}', site + '-' + letsencrypt_cert_ids[site] + '.cert') + bundled_cert_path = os.path.join('{{ letsencrypt_certs_dir }}', site + '-' + letsencrypt_cert_ids[site] + '-bundled.cert') if os.access(cert_path, os.F_OK): stat = os.stat(cert_path) @@ -29,9 +27,9 @@ '--quiet ' '--ca {{ letsencrypt_ca }} ' '--account-key {{ letsencrypt_account_key }} ' - '--csr {{ acme_tiny_data_directory }}/csrs/{0}.csr ' + '--csr {{ acme_tiny_data_directory }}/csrs/{0}-{1}.csr ' '--acme-dir {{ acme_tiny_challenges_directory }}' - ).format(site) + ).format(site, letsencrypt_cert_ids[site]) try: cert = check_output(cmd, stderr=STDOUT, shell=True) diff --git a/roles/wordpress-setup/templates/https.conf.j2 b/roles/wordpress-setup/templates/https.conf.j2 index e975d2034e..ad0510f4f2 100644 --- a/roles/wordpress-setup/templates/https.conf.j2 +++ b/roles/wordpress-setup/templates/https.conf.j2 @@ -13,7 +13,7 @@ add_header Strict-Transport-Security "max-age={{ [hsts_max_age, hsts_include_sub ssl_certificate {{ nginx_path }}/ssl/{{ item.value.ssl.cert | basename }}; ssl_certificate_key {{ nginx_path }}/ssl/{{ item.value.ssl.key | basename }}; {%- elif item.value.ssl.provider | default('manual') == 'letsencrypt' -%} - ssl_certificate {{ nginx_path }}/ssl/letsencrypt/{{ item.key }}-bundled.cert; + ssl_certificate {{ nginx_path }}/ssl/letsencrypt/{{ item.key }}-{{ letsencrypt_cert_ids[item.key] }}-bundled.cert; ssl_certificate_key {{ nginx_path }}/ssl/letsencrypt/{{ item.key }}.key; {%- elif item.value.ssl.provider | default('manual') == 'self-signed' -%} ssl_certificate {{ nginx_path }}/ssl/{{ item.key }}.cert; From ec3165539b56e93d6f24a96ddb2c6cebb7d9f87a Mon Sep 17 00:00:00 2001 From: Nathaniel Schweinberg Date: Mon, 16 Jan 2017 13:19:08 -0800 Subject: [PATCH 126/292] add ability to customize what apt packages are installed --- roles/common/defaults/main.yml | 13 +++++++++++++ roles/common/tasks/main.yml | 10 +--------- 2 files changed, 14 insertions(+), 9 deletions(-) diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index f60073c0eb..11d200dd07 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -5,3 +5,16 @@ ansible_requirements: operator: '!=' ntp_timezone: Etc/UTC + +apt_packages_default: + - python-software-properties + - python-pycurl + - build-essential + - python-mysqldb + - curl + - git-core + - dbus + - libnss-myhostname + +apt_packages_custom: [] +apt_packages_install: "{{ default_apt_packages + custom_apt_packages }}" diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index bf7d261c17..5f5184bf8b 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -50,15 +50,7 @@ state: present update_cache: true cache_valid_time: "{{ apt_cache_valid_time }}" - with_items: - - python-software-properties - - python-pycurl - - build-essential - - python-mysqldb - - curl - - git-core - - dbus - - libnss-myhostname + with_items: "{{ apt_packages_install }}" - name: Validate timezone variable stat: From 12ae0c98cc1da2c4b8965c39114dcefff5bfd11a Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Mon, 23 Jan 2017 19:57:47 -0500 Subject: [PATCH 127/292] CHANGELOG entry --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7d226d1148..05ae7e0c90 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Add `apt_packages_custom` to customize Apt packages ([#735](https://github.com/roots/trellis/pull/735)) * Enable Let's Encrypt to detect updated `site_hosts` ([#630](https://github.com/roots/trellis/pull/630)) * Add `SKIP_GALAXY` env var to skip galaxy install in Vagrant ([#734](https://github.com/roots/trellis/pull/734)) * Avoid `loop.first` variable in conditional jinja loops ([#729](https://github.com/roots/trellis/pull/729)) From e20719dd610cc693da49ef7ed1ad7b7c33c17401 Mon Sep 17 00:00:00 2001 From: Jac Wynn Date: Tue, 24 Jan 2017 14:09:14 -0500 Subject: [PATCH 128/292] Fix apt_packages_custom --- roles/common/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index 11d200dd07..c92cf2684e 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -17,4 +17,4 @@ apt_packages_default: - libnss-myhostname apt_packages_custom: [] -apt_packages_install: "{{ default_apt_packages + custom_apt_packages }}" +apt_packages_install: "{{ apt_packages_default + apt_packages_custom }}" From 85dc1def1836212006943be3bea16fa74b596516 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Fri, 27 Jan 2017 12:08:07 -0700 Subject: [PATCH 129/292] Disable Let's Encrypt challenge sites as part of WordPress setup Prevents Nginx conf conflicts that could occur if the 'disable temporary challenge sites' handler fails to run and the /etc/nginx/sites-enabled/letsencrypt-example.com.conf is not removed. --- roles/common/handlers/main.yml | 6 +----- roles/common/tasks/disable_challenge_sites.yml | 7 +++++++ roles/wordpress-setup/tasks/nginx.yml | 2 ++ 3 files changed, 10 insertions(+), 5 deletions(-) create mode 100644 roles/common/tasks/disable_challenge_sites.yml diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index ac43c75939..c5051bd403 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -1,10 +1,6 @@ --- - name: disable temporary challenge sites - file: - path: "{{ nginx_path }}/sites-enabled/letsencrypt-{{ item.key }}.conf" - state: absent - with_dict: "{{ wordpress_sites }}" - notify: reload nginx + include: disable_challenge_sites.yml - name: restart memcached service: diff --git a/roles/common/tasks/disable_challenge_sites.yml b/roles/common/tasks/disable_challenge_sites.yml new file mode 100644 index 0000000000..455d7f0cad --- /dev/null +++ b/roles/common/tasks/disable_challenge_sites.yml @@ -0,0 +1,7 @@ +--- +- name: disable temporary challenge sites + file: + path: "{{ nginx_path }}/sites-enabled/letsencrypt-{{ item }}.conf" + state: absent + with_items: "{{ wordpress_sites.keys() }}" + notify: reload nginx diff --git a/roles/wordpress-setup/tasks/nginx.yml b/roles/wordpress-setup/tasks/nginx.yml index a8494526c8..c81d9fb8e2 100644 --- a/roles/wordpress-setup/tasks/nginx.yml +++ b/roles/wordpress-setup/tasks/nginx.yml @@ -15,6 +15,8 @@ with_dict: "{{ wordpress_sites }}" when: ssl_enabled and item.value.ssl.key is defined +- include: "{{ playbook_dir }}/roles/common/tasks/disable_challenge_sites.yml" + - name: Create Nginx conf for challenges location template: src: "{{ playbook_dir }}/roles/letsencrypt/templates/acme-challenge-location.conf.j2" From 02a8774499469486f38f300f4e3fa1afa6675a94 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Sat, 28 Jan 2017 18:05:40 -0700 Subject: [PATCH 130/292] Galaxy roles install step no longer necessary [ci skip] --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 5c2387ebce..2f340b6d2c 100644 --- a/README.md +++ b/README.md @@ -55,7 +55,6 @@ See a complete working example in the [roots-example-project.com repo](https://g 1. Create a new project directory: `$ mkdir example.com && cd example.com` 2. Clone Trellis: `$ git clone --depth=1 git@github.com:roots/trellis.git && rm -rf trellis/.git` 3. Clone Bedrock: `$ git clone --depth=1 git@github.com:roots/bedrock.git site && rm -rf site/.git` -4. Install the Ansible Galaxy roles: `$ cd trellis && ansible-galaxy install -r requirements.yml` Windows user? [Read the Windows docs](https://roots.io/trellis/docs/windows/) for slightly different installation instructions. VirtualBox is known to have poor performance in Windows — use VMware or [see some possible solutions](https://discourse.roots.io/t/virtualbox-performance-in-windows/3932). From cec375ee8e19bddcdd43227a8c6f9b3d46b3ad91 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sat, 21 Jan 2017 17:11:44 -0700 Subject: [PATCH 131/292] Enable template inheritance for nginx.conf --- roles/nginx/defaults/main.yml | 1 + roles/nginx/tasks/main.yml | 2 +- roles/nginx/templates/nginx.conf.j2 | 2 ++ 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml index a77ecfb80d..5ff67d116e 100644 --- a/roles/nginx/defaults/main.yml +++ b/roles/nginx/defaults/main.yml @@ -1,4 +1,5 @@ --- +nginx_conf: nginx.conf.j2 nginx_path: /etc/nginx nginx_logs_root: /var/log/nginx nginx_user: www-data diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 312a4741b6..3e2fe462c4 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -39,7 +39,7 @@ - name: Create nginx.conf template: - src: nginx.conf.j2 + src: "{{ nginx_conf }}" dest: "{{ nginx_path }}/nginx.conf" notify: reload nginx diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2 index ebddab3c3c..125e392fa1 100644 --- a/roles/nginx/templates/nginx.conf.j2 +++ b/roles/nginx/templates/nginx.conf.j2 @@ -32,6 +32,8 @@ error_log {{ nginx_logs_root }}/error.log warn; pid /run/nginx.pid; http { + {% block http_begin %}{% endblock %} + # Hide nginx version information. server_tokens off; From b0972ea83aa2007d69488b6709fd3df7bfacf234 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sat, 21 Jan 2017 17:12:18 -0700 Subject: [PATCH 132/292] Assign jinja template blocks in nginx.conf --- roles/nginx/templates/nginx.conf.j2 | 34 +++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2 index 125e392fa1..f72d73e8db 100644 --- a/roles/nginx/templates/nginx.conf.j2 +++ b/roles/nginx/templates/nginx.conf.j2 @@ -3,9 +3,12 @@ # nginx Configuration File # http://wiki.nginx.org/Configuration +{% block user %} # Run as a less privileged user for security reasons. user {{ nginx_user }}; +{% endblock %} +{% block worker %} # How many worker threads to run; # "auto" sets it to the number of CPU cores available in the system, and # offers the best performance. Don't set it higher than the number of CPU @@ -18,25 +21,37 @@ worker_processes auto; # Maximum open file descriptors per process; # should be > worker_connections. worker_rlimit_nofile 8192; +{% endblock %} +{% block events %} events { # When you need > 8000 * cpu_cores connections, you start optimizing your OS, # and this is probably the point at which you hire people who are smarter than # you, as this is *a lot* of requests. worker_connections 8000; } +{% endblock %} +{% block error_log %} # Default error log file # (this is only used when you don't override error_log on a server{} level) error_log {{ nginx_logs_root }}/error.log warn; +{% endblock %} + +{% block pid %} +# The file storing the process ID of the main process pid /run/nginx.pid; +{% endblock %} http { {% block http_begin %}{% endblock %} + {% block server_tokens -%} # Hide nginx version information. server_tokens off; + {% endblock %} + {% block cache -%} # Setup the fastcgi cache. fastcgi_buffers {{ nginx_fastcgi_buffers }}; fastcgi_buffer_size {{ nginx_fastcgi_buffer_size }}; @@ -47,36 +62,52 @@ http { fastcgi_ignore_headers Cache-Control Expires Set-Cookie; fastcgi_pass_header Set-Cookie; fastcgi_pass_header Cookie; + {% endblock %} + {% block mime_types -%} # Define the MIME types for files. include h5bp-server-configs/mime.types; default_type application/octet-stream; + {% endblock %} + {% block charset_types -%} # Update charset_types due to updated mime.types charset_types text/css text/plain text/vnd.wap.wml application/javascript application/json application/rss+xml application/xml; + {% endblock %} + {% block log_format -%} # Format to use in log files log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; + {% endblock %} + {% block access_log -%} # Default log file # (this is only used when you don't override access_log on a server{} level) access_log {{ nginx_logs_root }}/access.log main; + {% endblock %} + {% block keepalive -%} # How long to allow each connection to stay idle; longer values are better # for each individual client, particularly for SSL, but means that worker # connections are tied up longer. (Default: 65) keepalive_timeout 20; + {% endblock %} + {% block sendfile -%} # Speed up file transfers by using sendfile() to copy directly # between descriptors rather than using read()/write(). sendfile on; + {% endblock %} + {% block tcp_nopush -%} # Tell Nginx not to send out partial frames; this increases throughput # since TCP frames are filled up before being sent out. (adds TCP_CORK) tcp_nopush on; + {% endblock %} + {% block compression -%} # Compression # Enable Gzip compressed. @@ -135,6 +166,9 @@ http { # for the check. It is best if you enable this in a location{} block for # a specific directory, or on an individual server{} level. # gzip_static on; + {% endblock %} + {% block sites_enabled -%} include sites-enabled/*; + {% endblock %} } From 4b42f6e5e3cbdd266d253154b09276c59da1f3d7 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sat, 21 Jan 2017 17:24:23 -0700 Subject: [PATCH 133/292] Enable template inheritance for wordpress-site.conf --- roles/wordpress-setup/defaults/main.yml | 1 + roles/wordpress-setup/tasks/nginx.yml | 2 +- roles/wordpress-setup/templates/wordpress-site.conf.j2 | 2 ++ 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/roles/wordpress-setup/defaults/main.yml b/roles/wordpress-setup/defaults/main.yml index 8cb21c1b9a..78e4188a55 100644 --- a/roles/wordpress-setup/defaults/main.yml +++ b/roles/wordpress-setup/defaults/main.yml @@ -1,4 +1,5 @@ site_uses_local_db: "{{ site_env.db_host == 'localhost' }}" +nginx_wordpress_site_conf: wordpress-site.conf.j2 nginx_includes_templates_path: nginx-includes nginx_includes_deprecated: roles/wordpress-setup/templates/includes.d nginx_includes_pattern: "^({{ nginx_includes_templates_path | regex_escape }}|{{ nginx_includes_deprecated | regex_escape }})/(.*)\\.j2$" diff --git a/roles/wordpress-setup/tasks/nginx.yml b/roles/wordpress-setup/tasks/nginx.yml index c81d9fb8e2..78c70bc083 100644 --- a/roles/wordpress-setup/tasks/nginx.yml +++ b/roles/wordpress-setup/tasks/nginx.yml @@ -25,7 +25,7 @@ - name: Create WordPress configuration for Nginx template: - src: "wordpress-site.conf.j2" + src: "{{ item.value.nginx_wordpress_site_conf | default(nginx_wordpress_site_conf) }}" dest: "{{ nginx_path }}/sites-available/{{ item.key }}.conf" with_dict: "{{ wordpress_sites }}" notify: reload nginx diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index efb80f381f..5d112352b8 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -1,5 +1,7 @@ # {{ ansible_managed }} +{% block server_before %}{% endblock %} + server { listen {{ ssl_enabled | ternary('443 ssl http2', '80') }}; From f58591fdeb6c06871917d1f29a8ba24a1b87494d Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sat, 21 Jan 2017 19:07:30 -0700 Subject: [PATCH 134/292] Move wordpress-base.conf into wordpress-site.conf --- roles/nginx/tasks/main.yml | 5 ---- roles/nginx/templates/wordpress.conf.j2 | 18 -------------- .../templates/wordpress-site.conf.j2 | 24 ++++++++++++++++++- 3 files changed, 23 insertions(+), 24 deletions(-) delete mode 100644 roles/nginx/templates/wordpress.conf.j2 diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 3e2fe462c4..aad0abe7e5 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -55,11 +55,6 @@ creates: "{{ nginx_path }}/sites-enabled/no-default.conf" notify: reload nginx -- name: Create base WordPress config - template: - src: wordpress.conf.j2 - dest: "{{ nginx_path }}/wordpress.conf" - - name: Create base WordPress subdirectory Multisite config template: src: wordpress_multisite_subdirectories.conf.j2 diff --git a/roles/nginx/templates/wordpress.conf.j2 b/roles/nginx/templates/wordpress.conf.j2 deleted file mode 100644 index 2310e5203b..0000000000 --- a/roles/nginx/templates/wordpress.conf.j2 +++ /dev/null @@ -1,18 +0,0 @@ -# {{ ansible_managed }} - -# Prevent PHP scripts from being executed inside the uploads folder. -location ~* /app/uploads/.*\.php$ { - deny all; -} - -location / { - try_files $uri $uri/ /index.php?$args; -} - -# Set the max body size equal to PHP's max POST size. -client_max_body_size {{ php_post_max_size | default('25m') | lower }}; - -include h5bp/directive-only/x-ua-compatible.conf; -include h5bp/directive-only/extra-security.conf; -include h5bp/location/cross-domain-fonts.conf; -include h5bp/location/protect-system-files.conf; diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index 5d112352b8..b7a8e64065 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -14,6 +14,9 @@ server { charset utf-8; + # Set the max body size equal to PHP's max POST size. + client_max_body_size {{ php_post_max_size | default('25m') | lower }}; + {% if env == 'development' -%} # https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#virtualbox sendfile off; @@ -53,7 +56,26 @@ server { {% endif -%} include includes.d/{{ item.key }}/*.conf; - include wordpress.conf; + + {% block location_uploads_php -%} + # Prevent PHP scripts from being executed inside the uploads folder. + location ~* /app/uploads/.*\.php$ { + deny all; + } + {% endblock %} + + {% block location_primary -%} + location / { + try_files $uri $uri/ /index.php?$args; + } + {% endblock %} + + {% block h5bp -%} + include h5bp/directive-only/x-ua-compatible.conf; + include h5bp/directive-only/extra-security.conf; + include h5bp/location/cross-domain-fonts.conf; + include h5bp/location/protect-system-files.conf; + {% endblock %} location ~ \.php$ { try_files $uri /index.php; From 16e26c15cb548a1298172b942fe1d9fd2a296893 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sat, 21 Jan 2017 19:19:45 -0700 Subject: [PATCH 135/292] Move wordpress_multisite_subdirectories.conf into wordpress-site.conf --- roles/nginx/tasks/main.yml | 5 ----- .../templates/wordpress_multisite_subdirectories.conf.j2 | 7 ------- roles/wordpress-setup/templates/wordpress-site.conf.j2 | 6 +++++- 3 files changed, 5 insertions(+), 13 deletions(-) delete mode 100644 roles/nginx/templates/wordpress_multisite_subdirectories.conf.j2 diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index aad0abe7e5..5b44176381 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -54,8 +54,3 @@ args: creates: "{{ nginx_path }}/sites-enabled/no-default.conf" notify: reload nginx - -- name: Create base WordPress subdirectory Multisite config - template: - src: wordpress_multisite_subdirectories.conf.j2 - dest: "{{ nginx_path }}/wordpress_multisite_subdirectories.conf" diff --git a/roles/nginx/templates/wordpress_multisite_subdirectories.conf.j2 b/roles/nginx/templates/wordpress_multisite_subdirectories.conf.j2 deleted file mode 100644 index 6a0f0adf63..0000000000 --- a/roles/nginx/templates/wordpress_multisite_subdirectories.conf.j2 +++ /dev/null @@ -1,7 +0,0 @@ -# {{ ansible_managed }} - -if (!-e $request_filename) { - rewrite /wp-admin$ $scheme://$host$uri/ permanent; - rewrite ^(/[^/]+)?(/wp-.*) /wp$2 last; - rewrite ^(/[^/]+)?(/.*\.php) /wp$2 last; -} diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index b7a8e64065..d2c8b1e21e 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -27,7 +27,11 @@ server { rewrite ^/(wp-.*.php)$ /wp/$1 last; rewrite ^/(wp-(content|admin|includes).*) /wp/$1 last; {%- else -%} - include wordpress_multisite_subdirectories.conf; + if (!-e $request_filename) { + rewrite /wp-admin$ $scheme://$host$uri/ permanent; + rewrite ^(/[^/]+)?(/wp-.*) /wp$2 last; + rewrite ^(/[^/]+)?(/.*\.php) /wp$2 last; + } {%- endif %} {%- endif %} From f681ccc42fff8a2ce13b4a8757d8b412aa2f2f6e Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sat, 21 Jan 2017 19:52:31 -0700 Subject: [PATCH 136/292] Add multisite_rewrites jinja template block --- .../templates/wordpress-site.conf.j2 | 27 +++++++++++-------- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index d2c8b1e21e..bae0c0b9e0 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -22,18 +22,23 @@ server { sendfile off; {%- endif %} + {% block multisite_rewrites -%} {% if item.value.multisite.enabled | default(false) -%} - {% if item.value.multisite.subdomains | default(false) -%} - rewrite ^/(wp-.*.php)$ /wp/$1 last; - rewrite ^/(wp-(content|admin|includes).*) /wp/$1 last; - {%- else -%} - if (!-e $request_filename) { - rewrite /wp-admin$ $scheme://$host$uri/ permanent; - rewrite ^(/[^/]+)?(/wp-.*) /wp$2 last; - rewrite ^(/[^/]+)?(/.*\.php) /wp$2 last; - } - {%- endif %} - {%- endif %} + # Multisite rewrites + {% if item.value.multisite.subdomains | default(false) -%} + rewrite ^/(wp-.*.php)$ /wp/$1 last; + rewrite ^/(wp-(content|admin|includes).*) /wp/$1 last; + + {% else -%} + if (!-e $request_filename) { + rewrite /wp-admin$ $scheme://$host$uri/ permanent; + rewrite ^(/[^/]+)?(/wp-.*) /wp$2 last; + rewrite ^(/[^/]+)?(/.*\.php) /wp$2 last; + } + + {% endif -%} + {% endif -%} + {% endblock -%} add_header Fastcgi-Cache $upstream_cache_status; From 0f9c92e9d671531ac4437407059038173c5a3284 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sat, 21 Jan 2017 23:05:26 -0700 Subject: [PATCH 137/292] Move https.conf into wordpress-site.conf --- roles/nginx/defaults/main.yml | 6 ---- roles/wordpress-setup/defaults/main.yml | 13 ++++++++ roles/wordpress-setup/templates/https.conf.j2 | 22 ------------- .../templates/wordpress-site.conf.j2 | 32 ++++++++++++++++--- 4 files changed, 41 insertions(+), 32 deletions(-) delete mode 100644 roles/wordpress-setup/templates/https.conf.j2 diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml index 5ff67d116e..03b0edb06a 100644 --- a/roles/nginx/defaults/main.yml +++ b/roles/nginx/defaults/main.yml @@ -5,12 +5,6 @@ nginx_logs_root: /var/log/nginx nginx_user: www-data nginx_fastcgi_buffers: 8 8k nginx_fastcgi_buffer_size: 8k -nginx_ssl_path: "{{ nginx_path }}/ssl" - -# HSTS defaults -nginx_hsts_max_age: 31536000 -nginx_hsts_include_subdomains: true -nginx_hsts_preload: false # Fastcgi cache params nginx_cache_path: /var/cache/nginx diff --git a/roles/wordpress-setup/defaults/main.yml b/roles/wordpress-setup/defaults/main.yml index 78e4188a55..60c72190e1 100644 --- a/roles/wordpress-setup/defaults/main.yml +++ b/roles/wordpress-setup/defaults/main.yml @@ -1,5 +1,18 @@ site_uses_local_db: "{{ site_env.db_host == 'localhost' }}" nginx_wordpress_site_conf: wordpress-site.conf.j2 +nginx_ssl_path: "{{ nginx_path }}/ssl" + +# HSTS defaults +nginx_hsts_max_age: 31536000 +nginx_hsts_include_subdomains: true +nginx_hsts_preload: false + +# HSTS helpers +hsts_max_age: "{{ item.value.ssl.hsts_max_age | default(nginx_hsts_max_age) }}" +hsts_include_subdomains: "{{ item.value.ssl.hsts_include_subdomains | default(nginx_hsts_include_subdomains) | ternary('includeSubDomains', None) }}" +hsts_preload: "{{ item.value.ssl.hsts_preload | default(nginx_hsts_preload) | ternary('preload', None) }}" + +# Nginx includes nginx_includes_templates_path: nginx-includes nginx_includes_deprecated: roles/wordpress-setup/templates/includes.d nginx_includes_pattern: "^({{ nginx_includes_templates_path | regex_escape }}|{{ nginx_includes_deprecated | regex_escape }})/(.*)\\.j2$" diff --git a/roles/wordpress-setup/templates/https.conf.j2 b/roles/wordpress-setup/templates/https.conf.j2 deleted file mode 100644 index ad0510f4f2..0000000000 --- a/roles/wordpress-setup/templates/https.conf.j2 +++ /dev/null @@ -1,22 +0,0 @@ -include h5bp/directive-only/ssl.conf; -include h5bp/directive-only/ssl-stapling.conf; - -ssl_dhparam /etc/nginx/ssl/dhparams.pem; -ssl_buffer_size 1400; # 1400 bytes to fit in one MTU - -{% set hsts_max_age = item.value.ssl.hsts_max_age | default(nginx_hsts_max_age) %} -{% set hsts_include_subdomains = item.value.ssl.hsts_include_subdomains | default(nginx_hsts_include_subdomains) | ternary('includeSubDomains', None) %} -{% set hsts_preload = item.value.ssl.hsts_preload | default(nginx_hsts_preload) | ternary('preload', None) %} -add_header Strict-Transport-Security "max-age={{ [hsts_max_age, hsts_include_subdomains, hsts_preload] | reject('none') | join('; ') }}"; - -{% if item.value.ssl.provider | default('manual') == 'manual' and item.value.ssl.cert is defined and item.value.ssl.key is defined -%} - ssl_certificate {{ nginx_path }}/ssl/{{ item.value.ssl.cert | basename }}; - ssl_certificate_key {{ nginx_path }}/ssl/{{ item.value.ssl.key | basename }}; -{%- elif item.value.ssl.provider | default('manual') == 'letsencrypt' -%} - ssl_certificate {{ nginx_path }}/ssl/letsencrypt/{{ item.key }}-{{ letsencrypt_cert_ids[item.key] }}-bundled.cert; - ssl_certificate_key {{ nginx_path }}/ssl/letsencrypt/{{ item.key }}.key; -{%- elif item.value.ssl.provider | default('manual') == 'self-signed' -%} - ssl_certificate {{ nginx_path }}/ssl/{{ item.key }}.cert; - ssl_trusted_certificate {{ nginx_path }}/ssl/{{ item.key }}.cert; - ssl_certificate_key {{ nginx_path }}/ssl/{{ item.key }}.key; -{%- endif -%} diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index bae0c0b9e0..07fabeaa81 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -11,7 +11,7 @@ server { root {{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/web; index index.php index.htm index.html; - + add_header Fastcgi-Cache $upstream_cache_status; charset utf-8; # Set the max body size equal to PHP's max POST size. @@ -40,9 +40,33 @@ server { {% endif -%} {% endblock -%} - add_header Fastcgi-Cache $upstream_cache_status; + {% block https -%} + {% if ssl_enabled -%} + # SSL configuration + include h5bp/directive-only/ssl.conf; + include h5bp/directive-only/ssl-stapling.conf; + + ssl_dhparam /etc/nginx/ssl/dhparams.pem; + ssl_buffer_size 1400; # 1400 bytes to fit in one MTU + + add_header Strict-Transport-Security "max-age={{ [hsts_max_age, hsts_include_subdomains, hsts_preload] | reject('none') | join('; ') }}"; + + {% if item.value.ssl.provider | default('manual') == 'manual' and item.value.ssl.cert is defined and item.value.ssl.key is defined -%} + ssl_certificate {{ nginx_path }}/ssl/{{ item.value.ssl.cert | basename }}; + ssl_certificate_key {{ nginx_path }}/ssl/{{ item.value.ssl.key | basename }}; - {% if ssl_enabled %}{{ lookup('template', 'https.conf.j2') }}{% endif %} + {% elif item.value.ssl.provider | default('manual') == 'letsencrypt' -%} + ssl_certificate {{ nginx_path }}/ssl/letsencrypt/{{ item.key }}-{{ letsencrypt_cert_ids[item.key] }}-bundled.cert; + ssl_certificate_key {{ nginx_path }}/ssl/letsencrypt/{{ item.key }}.key; + + {% elif item.value.ssl.provider | default('manual') == 'self-signed' -%} + ssl_certificate {{ nginx_path }}/ssl/{{ item.key }}.cert; + ssl_trusted_certificate {{ nginx_path }}/ssl/{{ item.key }}.cert; + ssl_certificate_key {{ nginx_path }}/ssl/{{ item.key }}.key; + + {% endif -%} + {% endif -%} + {% endblock -%} {% if not ssl_enabled %}include acme-challenge-location.conf;{% endif %} @@ -121,7 +145,7 @@ server { server { listen {{ ssl_enabled | ternary('443 ssl http2', '80') }}; - {% if ssl_enabled %}{{ lookup('template', 'https.conf.j2') }}{% endif %} + {{ self.https() -}} server_name {{ host.redirects | join(' ') }}; From cc111357ed8c6364e27017eb1884662b67e6ca0b Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sat, 21 Jan 2017 23:27:22 -0700 Subject: [PATCH 138/292] Add cache jinja template blocks --- roles/nginx/defaults/main.yml | 3 -- roles/wordpress-setup/defaults/main.yml | 5 +++ .../templates/wordpress-site.conf.j2 | 38 +++++++++---------- 3 files changed, 24 insertions(+), 22 deletions(-) diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml index 03b0edb06a..09f95c6731 100644 --- a/roles/nginx/defaults/main.yml +++ b/roles/nginx/defaults/main.yml @@ -8,9 +8,6 @@ nginx_fastcgi_buffer_size: 8k # Fastcgi cache params nginx_cache_path: /var/cache/nginx -nginx_cache_duration: 30s nginx_cache_key_storage_size: 10m nginx_cache_size: 250m nginx_cache_inactive: 1h -nginx_skip_cache_uri: /wp-admin/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml -nginx_skip_cache_cookie: comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in diff --git a/roles/wordpress-setup/defaults/main.yml b/roles/wordpress-setup/defaults/main.yml index 60c72190e1..d987f25560 100644 --- a/roles/wordpress-setup/defaults/main.yml +++ b/roles/wordpress-setup/defaults/main.yml @@ -12,6 +12,11 @@ hsts_max_age: "{{ item.value.ssl.hsts_max_age | default(nginx_hsts_max_age) }}" hsts_include_subdomains: "{{ item.value.ssl.hsts_include_subdomains | default(nginx_hsts_include_subdomains) | ternary('includeSubDomains', None) }}" hsts_preload: "{{ item.value.ssl.hsts_preload | default(nginx_hsts_preload) | ternary('preload', None) }}" +# Fastcgi cache params +nginx_cache_duration: 30s +nginx_skip_cache_uri: /wp-admin/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml +nginx_skip_cache_cookie: comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in + # Nginx includes nginx_includes_templates_path: nginx-includes nginx_includes_deprecated: roles/wordpress-setup/templates/includes.d diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index 07fabeaa81..c6f81e0360 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -70,23 +70,21 @@ server { {% if not ssl_enabled %}include acme-challenge-location.conf;{% endif %} + {% block cache_conditions -%} {% if item.value.cache is defined and item.value.cache.enabled | default(false) -%} - set $skip_cache 0; - - if ($query_string != "") { - set $skip_cache 1; - } - - # Don't cache uris containing the following segments - if ($request_uri ~* "{{ item.value.cache.skip_cache_uri | default(nginx_skip_cache_uri) }}") { - set $skip_cache 1; - } - - # Don't use the cache if cookies includes the following - if ($http_cookie ~* "{{ item.value.cache.skip_cache_cookie | default(nginx_skip_cache_cookie) }}") { - set $skip_cache 1; - } + # Fastcgi cache conditions + set $skip_cache 0; + if ($query_string != "") { + set $skip_cache 1; + } + if ($request_uri ~* "{{ item.value.cache.skip_cache_uri | default(nginx_skip_cache_uri) }}") { + set $skip_cache 1; + } + if ($http_cookie ~* "{{ item.value.cache.skip_cache_cookie | default(nginx_skip_cache_cookie) }}") { + set $skip_cache 1; + } {% endif -%} + {% endblock %} include includes.d/{{ item.key }}/*.conf; @@ -113,12 +111,14 @@ server { location ~ \.php$ { try_files $uri /index.php; + {% block cache_config -%} {% if item.value.cache is defined and item.value.cache.enabled | default(false) -%} - fastcgi_cache wordpress; - fastcgi_cache_valid {{ item.value.cache.duration | default(nginx_cache_duration) }}; - fastcgi_cache_bypass $skip_cache; - fastcgi_no_cache $skip_cache; + fastcgi_cache wordpress; + fastcgi_cache_valid {{ item.value.cache.duration | default(nginx_cache_duration) }}; + fastcgi_cache_bypass $skip_cache; + fastcgi_no_cache $skip_cache; {% endif -%} + {% endblock -%} include fastcgi_params; fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; From fcd9b6c1747a9357ba8203e0095b66cad4f03f28 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sun, 22 Jan 2017 00:01:31 -0700 Subject: [PATCH 139/292] Add redirects jinja template blocks --- .../templates/wordpress-site.conf.j2 | 29 +++++++++++-------- 1 file changed, 17 insertions(+), 12 deletions(-) diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index c6f81e0360..cc197907ef 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -68,7 +68,9 @@ server { {% endif -%} {% endblock -%} - {% if not ssl_enabled %}include acme-challenge-location.conf;{% endif %} + {% block acme_challenge -%} + include acme-challenge-location.conf; + {% endblock %} {% block cache_conditions -%} {% if item.value.cache is defined and item.value.cache.enabled | default(false) -%} @@ -127,36 +129,39 @@ server { } } +{% block redirects_https %} {% if ssl_enabled %} +# Redirect to https server { listen 80; - server_name {{ site_hosts | join(' ') }}{% if item.value.multisite.subdomains | default(false) %} *.{{ site_hosts_canonical | join(' *.') }}{% endif %}; - include acme-challenge-location.conf; + {{ self.acme_challenge() -}} location / { return 301 https://$host$request_uri; } } + {% endif %} +{% endblock -%} +{%- block redirects_domains %} +{% if site_hosts_redirects | default([]) | count %} +# Redirect some domains +{% endif %} {% for host in item.value.site_hosts if host.redirects | default([]) %} server { listen {{ ssl_enabled | ternary('443 ssl http2', '80') }}; + server_name {{ host.redirects | join(' ') }}; {{ self.https() -}} - server_name {{ host.redirects | join(' ') }}; - - {% if not ssl_enabled -%} - include acme-challenge-location.conf; + {{ self.acme_challenge() -}} - location / { - return 301 $scheme://{{ host.canonical }}$request_uri; - } - {% else %} + location / { return 301 $scheme://{{ host.canonical }}$request_uri; - {% endif %} + } } {% endfor %} +{% endblock %} From 8812bc925868656f758dd4ced36e772baf770dde Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sun, 22 Jan 2017 01:41:40 -0700 Subject: [PATCH 140/292] Add remaining jinja template blocks to wordpress-site.conf --- .../templates/wordpress-site.conf.j2 | 31 ++++++++++++++++--- 1 file changed, 27 insertions(+), 4 deletions(-) diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index cc197907ef..67e995ee3b 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -3,12 +3,17 @@ {% block server_before %}{% endblock %} server { + {% block server_id -%} listen {{ ssl_enabled | ternary('443 ssl http2', '80') }}; - server_name {% for host in site_hosts_canonical %}{{ host }} {% if item.value.multisite.subdomains | default(false) %}*.{{ host }} {% endif %}{% endfor %}; + {% endblock %} + + {% block logs -%} access_log {{ www_root }}/{{ item.key }}/logs/access.log main; error_log {{ www_root }}/{{ item.key }}/logs/error.log; + {% endblock %} + {% block server_basic -%} root {{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/web; index index.php index.htm index.html; add_header Fastcgi-Cache $upstream_cache_status; @@ -20,7 +25,9 @@ server { {% if env == 'development' -%} # https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#virtualbox sendfile off; - {%- endif %} + + {% endif -%} + {% endblock -%} {% block multisite_rewrites -%} {% if item.value.multisite.enabled | default(false) -%} @@ -70,7 +77,8 @@ server { {% block acme_challenge -%} include acme-challenge-location.conf; - {% endblock %} + + {% endblock -%} {% block cache_conditions -%} {% if item.value.cache is defined and item.value.cache.enabled | default(false) -%} @@ -85,11 +93,15 @@ server { if ($http_cookie ~* "{{ item.value.cache.skip_cache_cookie | default(nginx_skip_cache_cookie) }}") { set $skip_cache 1; } + {% endif -%} - {% endblock %} + {% endblock -%} + {% block includes_d -%} include includes.d/{{ item.key }}/*.conf; + {% endblock -%} + {% block location_uploads_php -%} # Prevent PHP scripts from being executed inside the uploads folder. location ~* /app/uploads/.*\.php$ { @@ -110,23 +122,34 @@ server { include h5bp/location/protect-system-files.conf; {% endblock %} + {% block location_php -%} location ~ \.php$ { + {% block location_php_basic -%} try_files $uri /index.php; + {% endblock -%} + {% block cache_config -%} {% if item.value.cache is defined and item.value.cache.enabled | default(false) -%} + # Fastcgi cache settings fastcgi_cache wordpress; fastcgi_cache_valid {{ item.value.cache.duration | default(nginx_cache_duration) }}; fastcgi_cache_bypass $skip_cache; fastcgi_no_cache $skip_cache; + {% endif -%} {% endblock -%} + {% block fastcgi_basic -%} include fastcgi_params; fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; fastcgi_param DOCUMENT_ROOT $realpath_root; fastcgi_pass unix:/var/run/php-fpm-wordpress.sock; + {%- endblock %} + } + {%- endblock %} + } {% block redirects_https %} From 346d97ef7ca0f0d34b1fa09b23b7f896426aa00b Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sun, 22 Jan 2017 02:07:46 -0700 Subject: [PATCH 141/292] Add task tags convenient for nginx-includes and nginx confs --- CHANGELOG.md | 1 + roles/letsencrypt/tasks/certificates.yml | 2 +- roles/nginx/tasks/main.yml | 1 + roles/wordpress-setup/tasks/main.yml | 2 +- roles/wordpress-setup/tasks/nginx.yml | 1 + 5 files changed, 5 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 05ae7e0c90..5f0775bdb1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Accommodate template inheritance for nginx confs ([#740](https://github.com/roots/trellis/pull/740)) * Add `apt_packages_custom` to customize Apt packages ([#735](https://github.com/roots/trellis/pull/735)) * Enable Let's Encrypt to detect updated `site_hosts` ([#630](https://github.com/roots/trellis/pull/630)) * Add `SKIP_GALAXY` env var to skip galaxy install in Vagrant ([#734](https://github.com/roots/trellis/pull/734)) diff --git a/roles/letsencrypt/tasks/certificates.yml b/roles/letsencrypt/tasks/certificates.yml index f0fe4080e8..74dd7e5997 100644 --- a/roles/letsencrypt/tasks/certificates.yml +++ b/roles/letsencrypt/tasks/certificates.yml @@ -22,7 +22,7 @@ changed_when: false when: site_uses_letsencrypt with_dict: "{{ wordpress_sites }}" - tags: [wordpress, wordpress-setup] + tags: [wordpress, wordpress-setup, nginx-includes] - name: Generate CSRs shell: "openssl req -new -sha256 -key '{{ letsencrypt_keys_dir }}/{{ item.key }}.key' -subj '/' -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:{{ site_hosts | join(',DNS:') }}')) > {{ acme_tiny_data_directory }}/csrs/{{ item.key }}-{{ letsencrypt_cert_ids[item.key] }}.csr" diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 5b44176381..b286d614da 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -42,6 +42,7 @@ src: "{{ nginx_conf }}" dest: "{{ nginx_path }}/nginx.conf" notify: reload nginx + tags: nginx-includes - name: Disable default server file: diff --git a/roles/wordpress-setup/tasks/main.yml b/roles/wordpress-setup/tasks/main.yml index 79b59be7c0..28e5fe7bed 100644 --- a/roles/wordpress-setup/tasks/main.yml +++ b/roles/wordpress-setup/tasks/main.yml @@ -36,7 +36,7 @@ notify: reload php-fpm - include: nginx-includes.yml - tags: [wordpress-setup-nginx-includes, wordpress-setup-nginx] + tags: [nginx-includes, wordpress-setup-nginx] - include: nginx.yml tags: wordpress-setup-nginx diff --git a/roles/wordpress-setup/tasks/nginx.yml b/roles/wordpress-setup/tasks/nginx.yml index 78c70bc083..b4f3f43c0e 100644 --- a/roles/wordpress-setup/tasks/nginx.yml +++ b/roles/wordpress-setup/tasks/nginx.yml @@ -29,6 +29,7 @@ dest: "{{ nginx_path }}/sites-available/{{ item.key }}.conf" with_dict: "{{ wordpress_sites }}" notify: reload nginx + tags: nginx-includes - name: Enable WordPress site file: From aeaa7e0683c8d8e86056ab43f387afc60a819ded Mon Sep 17 00:00:00 2001 From: Nathaniel Schweinberg Date: Tue, 7 Feb 2017 09:45:05 -0800 Subject: [PATCH 142/292] add ability to specify what host the mysql user will connect from --- group_vars/all/helpers.yml | 1 + roles/wordpress-setup/tasks/database.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/group_vars/all/helpers.yml b/group_vars/all/helpers.yml index 243c14b21f..ab9c007cc2 100644 --- a/group_vars/all/helpers.yml +++ b/group_vars/all/helpers.yml @@ -2,6 +2,7 @@ wordpress_env_defaults: db_host: localhost db_name: "{{ item.key | underscore }}_{{ env }}" db_user: "{{ item.key | underscore }}" + db_user_host: localhost disable_wp_cron: true wp_env: "{{ env }}" wp_home: "{{ ssl_enabled | ternary('https', 'http') }}://{{ site_hosts_canonical | first }}" diff --git a/roles/wordpress-setup/tasks/database.yml b/roles/wordpress-setup/tasks/database.yml index 63db5b5cbc..d4a8e74282 100644 --- a/roles/wordpress-setup/tasks/database.yml +++ b/roles/wordpress-setup/tasks/database.yml @@ -13,6 +13,7 @@ mysql_user: name: "{{ site_env.db_user }}" password: "{{ site_env.db_password }}" + host: "{{ site_env.db_user_host }}" append_privs: yes priv: "{{ site_env.db_name }}.*:ALL" state: present From be43a488ed37a67ef918b44e323ab6725462882e Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Fri, 10 Feb 2017 16:46:57 -0700 Subject: [PATCH 143/292] Use registered var instead of lookup plugin for IP lookup Ansible lookup plugins are lazy evaluated at multiple points in time. Using the command module instead of a lookup ensures only a single connection to api.ipify.org and avoids confusion of potential failures at random points during the playbook. --- group_vars/all/main.yml | 2 +- roles/common/tasks/main.yml | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index 0a189f9617..466d3752c0 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -6,7 +6,7 @@ ntp_timezone: Etc/UTC ntp_manage_config: true www_root: /srv/www ip_whitelist: - - "{{ lookup('pipe', 'curl -4 -s https://api.ipify.org') }}" + - "{{ (env == 'development') | ternary(ansible_default_ipv4.gateway, ssh_client_ip.stdout | default('')) }}" # Values of raw_vars will be wrapped in `{% raw %}` to avoid templating problems if values include `{%` and `{{`. # Will recurse dicts/lists. `*` is wildcard for one or more dict keys, list indices, or strings. Example: diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 5f5184bf8b..eeb2f82eb9 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -77,3 +77,12 @@ name: vagrant generate_ssh_key: yes when: env == 'development' + +- name: Retrieve SSH client IP + command: curl -4 -s https://api.ipify.org + args: + warn: false + changed_when: false + register: ssh_client_ip + when: env != 'development' and ssh_client_ip_lookup | default(true) + tags: [fail2ban, ferm] From f65cf5050b27e72d009a470b7620606a3f2b2678 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Fri, 10 Feb 2017 19:22:21 -0700 Subject: [PATCH 144/292] Use ipify_facts module for IP lookup --- group_vars/all/main.yml | 2 +- roles/common/tasks/main.yml | 8 +++----- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index 466d3752c0..bcc0f88483 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -6,7 +6,7 @@ ntp_timezone: Etc/UTC ntp_manage_config: true www_root: /srv/www ip_whitelist: - - "{{ (env == 'development') | ternary(ansible_default_ipv4.gateway, ssh_client_ip.stdout | default('')) }}" + - "{{ (env == 'development') | ternary(ansible_default_ipv4.gateway, ipify_public_ip | default('')) }}" # Values of raw_vars will be wrapped in `{% raw %}` to avoid templating problems if values include `{%` and `{{`. # Will recurse dicts/lists. `*` is wildcard for one or more dict keys, list indices, or strings. Example: diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index eeb2f82eb9..6260b0dd29 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -79,10 +79,8 @@ when: env == 'development' - name: Retrieve SSH client IP - command: curl -4 -s https://api.ipify.org - args: - warn: false - changed_when: false - register: ssh_client_ip + ipify_facts: + connection: local + become: no when: env != 'development' and ssh_client_ip_lookup | default(true) tags: [fail2ban, ferm] From 88615be61abe9500aaf11a8548bc467710cdddb8 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Wed, 8 Feb 2017 08:19:17 -0700 Subject: [PATCH 145/292] Add generate_cert_ids default to avoid variable undefined error --- roles/letsencrypt/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/letsencrypt/defaults/main.yml b/roles/letsencrypt/defaults/main.yml index 76d480fb7c..ec10aa7d20 100644 --- a/roles/letsencrypt/defaults/main.yml +++ b/roles/letsencrypt/defaults/main.yml @@ -2,7 +2,7 @@ sites_using_letsencrypt: "[{% for name, site in wordpress_sites.iteritems() if s letsencrypt_enabled: "{{ sites_using_letsencrypt | count }}" site_uses_letsencrypt: "{{ ssl_enabled and item.value.ssl.provider | default('manual') == 'letsencrypt' }}" missing_hosts: "{{ site_uses_letsencrypt | ternary(site_hosts, []) | difference((current_hosts.results | selectattr('item.key', 'equalto', item.key) | selectattr('stdout_lines', 'defined') | sum(attribute='stdout_lines', start=[]) | map('trim') | list | join(' ')).split(' ')) }}" -letsencrypt_cert_ids: "{ {% for item in generate_cert_ids.results if not item | skipped %}'{{ item.item.key }}':'{{ item.stdout }}', {% endfor %} }" +letsencrypt_cert_ids: "{ {% for item in (generate_cert_ids | default({'results':[{'skipped':True}]})).results if not item | skipped %}'{{ item.item.key }}':'{{ item.stdout }}', {% endfor %} }" acme_tiny_repo: 'https://github.com/diafygi/acme-tiny.git' acme_tiny_commit: '5a7b4e79bc9bd5b51739c0d8aaf644f62cc440e6' From 5bffe9bf22b95e448f71c167fdd2f0b837fd9501 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sat, 11 Feb 2017 19:28:31 -0700 Subject: [PATCH 146/292] Add basic git repo host keys to known_hosts (#751) --- CHANGELOG.md | 1 + group_vars/all/known_hosts.yml | 18 ++++++++++++++++++ roles/deploy/tasks/update.yml | 10 +++++++++- roles/wordpress-install/tasks/main.yml | 8 ++++++++ 4 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 group_vars/all/known_hosts.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 5f0775bdb1..5ccebe6b22 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Add basic git repo host keys to `known_hosts` ([#751](https://github.com/roots/trellis/pull/751)) * Accommodate template inheritance for nginx confs ([#740](https://github.com/roots/trellis/pull/740)) * Add `apt_packages_custom` to customize Apt packages ([#735](https://github.com/roots/trellis/pull/735)) * Enable Let's Encrypt to detect updated `site_hosts` ([#630](https://github.com/roots/trellis/pull/630)) diff --git a/group_vars/all/known_hosts.yml b/group_vars/all/known_hosts.yml new file mode 100644 index 0000000000..b8af937ca5 --- /dev/null +++ b/group_vars/all/known_hosts.yml @@ -0,0 +1,18 @@ +# Documentation: https://roots.io/trellis/docs/troubleshooting/#composer-install-host-key-verification-failed + +# Host keys to add to known_hosts, e.g., +# - git host for Bedrock-based project (`repo` variable in `wordpress_sites`) +# - git hosts in Bedrock project's composer.json +known_hosts: + - name: github.com + key: github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== + - name: bitbucket.org + key: bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw== + - name: gitlab.com + key: gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf + - name: gitlab.com + key: gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9 + +# Whether to automatically accept the host key for your `repo` (in `wordpress_sites`) during git clone. +# To avoid man-in-the-middle attacks, set this to `false` and add repo host key to `known_hosts` above. +repo_accept_hostkey: true diff --git a/roles/deploy/tasks/update.yml b/roles/deploy/tasks/update.yml index 539fe30720..4af0bb40da 100644 --- a/roles/deploy/tasks/update.yml +++ b/roles/deploy/tasks/update.yml @@ -2,6 +2,14 @@ - include: "{{ deploy_update_before | default('../hooks/example.yml') }}" tags: deploy-update-before +- name: Add known_hosts + known_hosts: + name: "{{ item.name }}" + key: "{{ item.key | default(omit) }}" + path: "{{ item.path | default('/home/' + ansible_user + '/.ssh/known_hosts') }}" + state: "{{ item.state | default('present') }}" + with_items: "{{ known_hosts | default([]) }}" + - name: Check whether project source path is a git repo stat: path: "{{ project_source_path }}/.git" @@ -26,7 +34,7 @@ repo: "{{ project_git_repo }}" dest: "{{ project_source_path }}" version: "{{ project_version }}" - accept_hostkey: yes + accept_hostkey: "{{ repo_accept_hostkey | default(true) }}" ignore_errors: true no_log: true register: git_clone diff --git a/roles/wordpress-install/tasks/main.yml b/roles/wordpress-install/tasks/main.yml index 06a8d11a1e..b046a8c183 100644 --- a/roles/wordpress-install/tasks/main.yml +++ b/roles/wordpress-install/tasks/main.yml @@ -16,6 +16,14 @@ register: env_file changed_when: env_file.stdout == "{{ item.key }}.env" +- name: Add known_hosts + known_hosts: + name: "{{ item.name }}" + key: "{{ item.key | default(omit) }}" + path: "{{ item.path | default('/home/' + ansible_user + '/.ssh/known_hosts') }}" + state: "{{ item.state | default('present') }}" + with_items: "{{ known_hosts | default([]) }}" + - name: Install Dependencies with Composer composer: no_dev: no From f5c32130bcf25c43ba63121dfca328163943eaa8 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Thu, 26 Jan 2017 18:13:58 -0700 Subject: [PATCH 147/292] Remove outdated protocol 1 sshd params --- roles/sshd/defaults/main.yml | 4 ---- roles/sshd/templates/sshd_config.j2 | 4 ---- 2 files changed, 8 deletions(-) diff --git a/roles/sshd/defaults/main.yml b/roles/sshd/defaults/main.yml index 1c821320d6..557f476273 100644 --- a/roles/sshd/defaults/main.yml +++ b/roles/sshd/defaults/main.yml @@ -6,18 +6,14 @@ sshd_host_rsa_key: /etc/ssh/ssh_host_rsa_key sshd_host_dsa_key: /etc/ssh/ssh_host_dsa_key sshd_host_ecdsa_key: /etc/ssh/ssh_host_ecdsa_key sshd_use_privilege_separation: true -sshd_key_regeneration_interval: 3600 -sshd_server_key_bits: 768 sshd_syslog_facility: AUTH sshd_log_level: INFO sshd_login_grace_time: 120 sshd_permit_root_login: true sshd_strict_modes: true -sshd_rsa_authentication: true sshd_pubkey_authentication: true sshd_authorized_keys_file: "%h/.ssh/authorized_keys" sshd_ignore_rhosts: true -sshd_rhosts_rsa_authentication: false sshd_host_based_authentication: false sshd_ignore_user_known_hosts: false sshd_permit_empty_passwords: false diff --git a/roles/sshd/templates/sshd_config.j2 b/roles/sshd/templates/sshd_config.j2 index e0114d81c8..a91edc2c69 100644 --- a/roles/sshd/templates/sshd_config.j2 +++ b/roles/sshd/templates/sshd_config.j2 @@ -7,18 +7,14 @@ HostKey {{ sshd_host_rsa_key }} HostKey {{ sshd_host_dsa_key }} HostKey {{ sshd_host_ecdsa_key }} UsePrivilegeSeparation {{ sshd_use_privilege_separation | ternary('yes', 'no') }} -KeyRegenerationInterval {{ sshd_key_regeneration_interval }} -ServerKeyBits {{ sshd_server_key_bits }} SyslogFacility {{ sshd_syslog_facility }} LogLevel {{ sshd_log_level }} LoginGraceTime {{ sshd_login_grace_time }} PermitRootLogin {{ sshd_permit_root_login | ternary('yes', 'no') }} StrictModes {{ sshd_strict_modes | ternary('yes', 'no') }} -RSAAuthentication {{ sshd_rsa_authentication | ternary('yes', 'no') }} PubkeyAuthentication {{ sshd_pubkey_authentication | ternary('yes', 'no') }} AuthorizedKeysFile {{ sshd_authorized_keys_file }} IgnoreRhosts {{ sshd_ignore_rhosts | ternary('yes', 'no') }} -RhostsRSAAuthentication {{ sshd_rhosts_rsa_authentication | ternary('yes', 'no') }} HostbasedAuthentication {{ sshd_host_based_authentication | ternary('yes', 'no') }} IgnoreUserKnownHosts {{ sshd_ignore_user_known_hosts | ternary('yes', 'no') }} PermitEmptyPasswords {{ sshd_permit_empty_passwords | ternary('yes', 'no') }} From d04cbe0904be62b5eeb18f7d7b0507f4ad219970 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Fri, 27 Jan 2017 11:25:44 -0700 Subject: [PATCH 148/292] Change existing sshd params to better defaults --- roles/sshd/defaults/main.yml | 10 +++++----- roles/sshd/templates/sshd_config.j2 | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/roles/sshd/defaults/main.yml b/roles/sshd/defaults/main.yml index 557f476273..4130c76107 100644 --- a/roles/sshd/defaults/main.yml +++ b/roles/sshd/defaults/main.yml @@ -8,7 +8,7 @@ sshd_host_ecdsa_key: /etc/ssh/ssh_host_ecdsa_key sshd_use_privilege_separation: true sshd_syslog_facility: AUTH sshd_log_level: INFO -sshd_login_grace_time: 120 +sshd_login_grace_time: 30 sshd_permit_root_login: true sshd_strict_modes: true sshd_pubkey_authentication: true @@ -21,13 +21,13 @@ sshd_challenge_response_authentication: false sshd_password_authentication: false sshd_gss_api_authentication: false sshd_gss_api_cleanup_credentials: true -sshd_x11_forwarding: true +sshd_x11_forwarding: false sshd_x11_display_offset: 10 sshd_print_motd: false -sshd_print_last_log: true +sshd_print_last_log: false sshd_tcp_keep_alive: true sshd_max_startups: 10:30:100 sshd_banner: none -sshd_accept_env: LANG LC_* -sshd_subsystem: sftp /usr/lib/openssh/sftp-server +sshd_accept_env: [] +sshd_subsystem: sftp internal-sftp sshd_use_pam: true diff --git a/roles/sshd/templates/sshd_config.j2 b/roles/sshd/templates/sshd_config.j2 index a91edc2c69..564f597c52 100644 --- a/roles/sshd/templates/sshd_config.j2 +++ b/roles/sshd/templates/sshd_config.j2 @@ -29,6 +29,6 @@ PrintLastLog {{ sshd_print_last_log | ternary('yes', 'no') }} TCPKeepAlive {{ sshd_tcp_keep_alive | ternary('yes', 'no') }} MaxStartups {{ sshd_max_startups }} Banner {{ sshd_banner }} -AcceptEnv {{ sshd_accept_env }} +AcceptEnv {{ sshd_accept_env | join(' ') }} Subsystem {{ sshd_subsystem }} UsePAM {{ sshd_use_pam | ternary('yes', 'no') }} From 247165188dd7739a9c86dbbf2ca65123e68193b1 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Fri, 27 Jan 2017 16:29:19 -0700 Subject: [PATCH 149/292] Omit sshd params whose system defaults few users will change --- roles/sshd/defaults/main.yml | 15 --------------- roles/sshd/templates/sshd_config.j2 | 15 --------------- 2 files changed, 30 deletions(-) diff --git a/roles/sshd/defaults/main.yml b/roles/sshd/defaults/main.yml index 4130c76107..b312bc83fa 100644 --- a/roles/sshd/defaults/main.yml +++ b/roles/sshd/defaults/main.yml @@ -5,29 +5,14 @@ sshd_protocol: 2 sshd_host_rsa_key: /etc/ssh/ssh_host_rsa_key sshd_host_dsa_key: /etc/ssh/ssh_host_dsa_key sshd_host_ecdsa_key: /etc/ssh/ssh_host_ecdsa_key -sshd_use_privilege_separation: true -sshd_syslog_facility: AUTH -sshd_log_level: INFO sshd_login_grace_time: 30 sshd_permit_root_login: true -sshd_strict_modes: true -sshd_pubkey_authentication: true -sshd_authorized_keys_file: "%h/.ssh/authorized_keys" -sshd_ignore_rhosts: true -sshd_host_based_authentication: false -sshd_ignore_user_known_hosts: false -sshd_permit_empty_passwords: false sshd_challenge_response_authentication: false sshd_password_authentication: false -sshd_gss_api_authentication: false -sshd_gss_api_cleanup_credentials: true sshd_x11_forwarding: false -sshd_x11_display_offset: 10 sshd_print_motd: false sshd_print_last_log: false sshd_tcp_keep_alive: true -sshd_max_startups: 10:30:100 -sshd_banner: none sshd_accept_env: [] sshd_subsystem: sftp internal-sftp sshd_use_pam: true diff --git a/roles/sshd/templates/sshd_config.j2 b/roles/sshd/templates/sshd_config.j2 index 564f597c52..d3753b1ff1 100644 --- a/roles/sshd/templates/sshd_config.j2 +++ b/roles/sshd/templates/sshd_config.j2 @@ -6,29 +6,14 @@ Protocol {{ sshd_protocol }} HostKey {{ sshd_host_rsa_key }} HostKey {{ sshd_host_dsa_key }} HostKey {{ sshd_host_ecdsa_key }} -UsePrivilegeSeparation {{ sshd_use_privilege_separation | ternary('yes', 'no') }} -SyslogFacility {{ sshd_syslog_facility }} -LogLevel {{ sshd_log_level }} LoginGraceTime {{ sshd_login_grace_time }} PermitRootLogin {{ sshd_permit_root_login | ternary('yes', 'no') }} -StrictModes {{ sshd_strict_modes | ternary('yes', 'no') }} -PubkeyAuthentication {{ sshd_pubkey_authentication | ternary('yes', 'no') }} -AuthorizedKeysFile {{ sshd_authorized_keys_file }} -IgnoreRhosts {{ sshd_ignore_rhosts | ternary('yes', 'no') }} -HostbasedAuthentication {{ sshd_host_based_authentication | ternary('yes', 'no') }} -IgnoreUserKnownHosts {{ sshd_ignore_user_known_hosts | ternary('yes', 'no') }} -PermitEmptyPasswords {{ sshd_permit_empty_passwords | ternary('yes', 'no') }} ChallengeResponseAuthentication {{ sshd_challenge_response_authentication | ternary('yes', 'no') }} PasswordAuthentication {{ sshd_password_authentication | ternary('yes', 'no') }} -GSSAPIAuthentication {{ sshd_gss_api_authentication | ternary('yes', 'no') }} -GSSAPICleanupCredentials {{ sshd_gss_api_cleanup_credentials | ternary('yes', 'no') }} X11Forwarding {{ sshd_x11_forwarding | ternary('yes', 'no') }} -X11DisplayOffset {{ sshd_x11_display_offset }} PrintMotd {{ sshd_print_motd | ternary('yes', 'no') }} PrintLastLog {{ sshd_print_last_log | ternary('yes', 'no') }} TCPKeepAlive {{ sshd_tcp_keep_alive | ternary('yes', 'no') }} -MaxStartups {{ sshd_max_startups }} -Banner {{ sshd_banner }} AcceptEnv {{ sshd_accept_env | join(' ') }} Subsystem {{ sshd_subsystem }} UsePAM {{ sshd_use_pam | ternary('yes', 'no') }} From ffb19ffe250cdebda7a79d78ecb7f8c0fbe5f65b Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Fri, 27 Jan 2017 16:58:18 -0700 Subject: [PATCH 150/292] Alphabetize sshd params --- roles/sshd/defaults/main.yml | 13 +++++++------ roles/sshd/templates/sshd_config.j2 | 13 +++++++------ 2 files changed, 14 insertions(+), 12 deletions(-) diff --git a/roles/sshd/defaults/main.yml b/roles/sshd/defaults/main.yml index b312bc83fa..ea99f10f02 100644 --- a/roles/sshd/defaults/main.yml +++ b/roles/sshd/defaults/main.yml @@ -2,17 +2,18 @@ sshd_port: 22 sshd_listen_address: 0.0.0.0 sshd_protocol: 2 + +sshd_accept_env: [] +sshd_challenge_response_authentication: false sshd_host_rsa_key: /etc/ssh/ssh_host_rsa_key sshd_host_dsa_key: /etc/ssh/ssh_host_dsa_key sshd_host_ecdsa_key: /etc/ssh/ssh_host_ecdsa_key sshd_login_grace_time: 30 -sshd_permit_root_login: true -sshd_challenge_response_authentication: false sshd_password_authentication: false -sshd_x11_forwarding: false -sshd_print_motd: false +sshd_permit_root_login: true sshd_print_last_log: false -sshd_tcp_keep_alive: true -sshd_accept_env: [] +sshd_print_motd: false sshd_subsystem: sftp internal-sftp +sshd_tcp_keep_alive: true sshd_use_pam: true +sshd_x11_forwarding: false diff --git a/roles/sshd/templates/sshd_config.j2 b/roles/sshd/templates/sshd_config.j2 index d3753b1ff1..fd3e70e935 100644 --- a/roles/sshd/templates/sshd_config.j2 +++ b/roles/sshd/templates/sshd_config.j2 @@ -3,17 +3,18 @@ Port {{ sshd_port }} ListenAddress {{ sshd_listen_address }} Protocol {{ sshd_protocol }} + +AcceptEnv {{ sshd_accept_env | join(' ') }} +ChallengeResponseAuthentication {{ sshd_challenge_response_authentication | ternary('yes', 'no') }} HostKey {{ sshd_host_rsa_key }} HostKey {{ sshd_host_dsa_key }} HostKey {{ sshd_host_ecdsa_key }} LoginGraceTime {{ sshd_login_grace_time }} -PermitRootLogin {{ sshd_permit_root_login | ternary('yes', 'no') }} -ChallengeResponseAuthentication {{ sshd_challenge_response_authentication | ternary('yes', 'no') }} PasswordAuthentication {{ sshd_password_authentication | ternary('yes', 'no') }} -X11Forwarding {{ sshd_x11_forwarding | ternary('yes', 'no') }} -PrintMotd {{ sshd_print_motd | ternary('yes', 'no') }} +PermitRootLogin {{ sshd_permit_root_login | ternary('yes', 'no') }} PrintLastLog {{ sshd_print_last_log | ternary('yes', 'no') }} -TCPKeepAlive {{ sshd_tcp_keep_alive | ternary('yes', 'no') }} -AcceptEnv {{ sshd_accept_env | join(' ') }} +PrintMotd {{ sshd_print_motd | ternary('yes', 'no') }} Subsystem {{ sshd_subsystem }} +TCPKeepAlive {{ sshd_tcp_keep_alive | ternary('yes', 'no') }} UsePAM {{ sshd_use_pam | ternary('yes', 'no') }} +X11Forwarding {{ sshd_x11_forwarding | ternary('yes', 'no') }} From 1324477b18d023157b98e56636311dc41f42e2a4 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Fri, 27 Jan 2017 17:15:46 -0700 Subject: [PATCH 151/292] Treat repeatable sshd params as lists --- roles/sshd/defaults/main.yml | 18 +++++++++++++----- roles/sshd/templates/sshd_config.j2 | 16 +++++++++++----- 2 files changed, 24 insertions(+), 10 deletions(-) diff --git a/roles/sshd/defaults/main.yml b/roles/sshd/defaults/main.yml index ea99f10f02..fe464fc975 100644 --- a/roles/sshd/defaults/main.yml +++ b/roles/sshd/defaults/main.yml @@ -1,13 +1,21 @@ --- -sshd_port: 22 -sshd_listen_address: 0.0.0.0 +sshd_ports: + - 22 + +sshd_listen_addresses: + - 0.0.0.0 + sshd_protocol: 2 sshd_accept_env: [] + sshd_challenge_response_authentication: false -sshd_host_rsa_key: /etc/ssh/ssh_host_rsa_key -sshd_host_dsa_key: /etc/ssh/ssh_host_dsa_key -sshd_host_ecdsa_key: /etc/ssh/ssh_host_ecdsa_key + +sshd_host_keys: + - /etc/ssh/ssh_host_rsa_key + - /etc/ssh/ssh_host_dsa_key + - /etc/ssh/ssh_host_ecdsa_key + sshd_login_grace_time: 30 sshd_password_authentication: false sshd_permit_root_login: true diff --git a/roles/sshd/templates/sshd_config.j2 b/roles/sshd/templates/sshd_config.j2 index fd3e70e935..8fa7addf7f 100644 --- a/roles/sshd/templates/sshd_config.j2 +++ b/roles/sshd/templates/sshd_config.j2 @@ -1,14 +1,20 @@ # {{ ansible_managed }} -Port {{ sshd_port }} -ListenAddress {{ sshd_listen_address }} +{% for port in sshd_ports %} +Port {{ port }} +{% endfor -%} + +{% for address in sshd_listen_addresses %} +ListenAddress {{ address }} +{% endfor -%} + Protocol {{ sshd_protocol }} AcceptEnv {{ sshd_accept_env | join(' ') }} ChallengeResponseAuthentication {{ sshd_challenge_response_authentication | ternary('yes', 'no') }} -HostKey {{ sshd_host_rsa_key }} -HostKey {{ sshd_host_dsa_key }} -HostKey {{ sshd_host_ecdsa_key }} +{% for key in sshd_host_keys %} +HostKey {{ key }} +{% endfor %} LoginGraceTime {{ sshd_login_grace_time }} PasswordAuthentication {{ sshd_password_authentication | ternary('yes', 'no') }} PermitRootLogin {{ sshd_permit_root_login | ternary('yes', 'no') }} From b24f0748fae3da3d40fd4ac324d866a1a9e52648 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Fri, 27 Jan 2017 18:10:41 -0700 Subject: [PATCH 152/292] Use more secure sshd host keys --- ansible.cfg | 2 +- roles/sshd/defaults/main.yml | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/ansible.cfg b/ansible.cfg index f4394078d3..ab366391ec 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -9,5 +9,5 @@ nocows = 1 roles_path = vendor/roles [ssh_connection] -ssh_args = -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s +ssh_args = -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s -o HostKeyAlgorithms=ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa pipelining = True diff --git a/roles/sshd/defaults/main.yml b/roles/sshd/defaults/main.yml index fe464fc975..00e8c8845c 100644 --- a/roles/sshd/defaults/main.yml +++ b/roles/sshd/defaults/main.yml @@ -12,9 +12,8 @@ sshd_accept_env: [] sshd_challenge_response_authentication: false sshd_host_keys: + - /etc/ssh/ssh_host_ed25519_key - /etc/ssh/ssh_host_rsa_key - - /etc/ssh/ssh_host_dsa_key - - /etc/ssh/ssh_host_ecdsa_key sshd_login_grace_time: 30 sshd_password_authentication: false From 3404b0bb42606737af332dc77d9eaf58738012ec Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Fri, 27 Jan 2017 18:36:12 -0700 Subject: [PATCH 153/292] Use stronger ciphers with sshd --- roles/sshd/defaults/main.yml | 10 ++++++++++ roles/sshd/templates/sshd_config.j2 | 1 + 2 files changed, 11 insertions(+) diff --git a/roles/sshd/defaults/main.yml b/roles/sshd/defaults/main.yml index 00e8c8845c..557cfd0e75 100644 --- a/roles/sshd/defaults/main.yml +++ b/roles/sshd/defaults/main.yml @@ -11,6 +11,16 @@ sshd_accept_env: [] sshd_challenge_response_authentication: false +sshd_ciphers_default: + - chacha20-poly1305@openssh.com + - aes256-gcm@openssh.com + - aes128-gcm@openssh.com + - aes256-ctr + - aes192-ctr + - aes128-ctr + +sshd_ciphers_extra: [] + sshd_host_keys: - /etc/ssh/ssh_host_ed25519_key - /etc/ssh/ssh_host_rsa_key diff --git a/roles/sshd/templates/sshd_config.j2 b/roles/sshd/templates/sshd_config.j2 index 8fa7addf7f..325b5fba8d 100644 --- a/roles/sshd/templates/sshd_config.j2 +++ b/roles/sshd/templates/sshd_config.j2 @@ -12,6 +12,7 @@ Protocol {{ sshd_protocol }} AcceptEnv {{ sshd_accept_env | join(' ') }} ChallengeResponseAuthentication {{ sshd_challenge_response_authentication | ternary('yes', 'no') }} +Ciphers {{ (sshd_ciphers_default + sshd_ciphers_extra) | join(',') }} {% for key in sshd_host_keys %} HostKey {{ key }} {% endfor %} From 1e575864eeec1b35f179b7980a9136749d3d7443 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Fri, 27 Jan 2017 18:44:08 -0700 Subject: [PATCH 154/292] Use stronger kex algorithms with sshd --- roles/sshd/defaults/main.yml | 6 ++++++ roles/sshd/templates/sshd_config.j2 | 1 + 2 files changed, 7 insertions(+) diff --git a/roles/sshd/defaults/main.yml b/roles/sshd/defaults/main.yml index 557cfd0e75..2a0bfc147f 100644 --- a/roles/sshd/defaults/main.yml +++ b/roles/sshd/defaults/main.yml @@ -25,6 +25,12 @@ sshd_host_keys: - /etc/ssh/ssh_host_ed25519_key - /etc/ssh/ssh_host_rsa_key +sshd_kex_algorithms_default: + - curve25519-sha256@libssh.org + - diffie-hellman-group-exchange-sha256 + +sshd_kex_algorithms_extra: [] + sshd_login_grace_time: 30 sshd_password_authentication: false sshd_permit_root_login: true diff --git a/roles/sshd/templates/sshd_config.j2 b/roles/sshd/templates/sshd_config.j2 index 325b5fba8d..a0a0f0611a 100644 --- a/roles/sshd/templates/sshd_config.j2 +++ b/roles/sshd/templates/sshd_config.j2 @@ -16,6 +16,7 @@ Ciphers {{ (sshd_ciphers_default + sshd_ciphers_extra) | join(',') }} {% for key in sshd_host_keys %} HostKey {{ key }} {% endfor %} +KexAlgorithms {{ (sshd_kex_algorithms_default + sshd_kex_algorithms_extra) | join(',') }} LoginGraceTime {{ sshd_login_grace_time }} PasswordAuthentication {{ sshd_password_authentication | ternary('yes', 'no') }} PermitRootLogin {{ sshd_permit_root_login | ternary('yes', 'no') }} From 8d11b43ba201682c02afed65b1e442615133392c Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Fri, 27 Jan 2017 19:48:05 -0700 Subject: [PATCH 155/292] Use stronger MACs with sshd --- roles/sshd/defaults/main.yml | 12 ++++++++++++ roles/sshd/templates/sshd_config.j2 | 1 + 2 files changed, 13 insertions(+) diff --git a/roles/sshd/defaults/main.yml b/roles/sshd/defaults/main.yml index 2a0bfc147f..994dd302f7 100644 --- a/roles/sshd/defaults/main.yml +++ b/roles/sshd/defaults/main.yml @@ -32,6 +32,18 @@ sshd_kex_algorithms_default: sshd_kex_algorithms_extra: [] sshd_login_grace_time: 30 + +sshd_macs_default: + - hmac-sha2-512-etm@openssh.com + - hmac-sha2-256-etm@openssh.com + - hmac-ripemd160-etm@openssh.com + - umac-128-etm@openssh.com + - hmac-sha2-512 + - hmac-sha2-256 + - hmac-ripemd160 + +sshd_macs_extra: [] + sshd_password_authentication: false sshd_permit_root_login: true sshd_print_last_log: false diff --git a/roles/sshd/templates/sshd_config.j2 b/roles/sshd/templates/sshd_config.j2 index a0a0f0611a..11d87f28a3 100644 --- a/roles/sshd/templates/sshd_config.j2 +++ b/roles/sshd/templates/sshd_config.j2 @@ -18,6 +18,7 @@ HostKey {{ key }} {% endfor %} KexAlgorithms {{ (sshd_kex_algorithms_default + sshd_kex_algorithms_extra) | join(',') }} LoginGraceTime {{ sshd_login_grace_time }} +MACs {{ (sshd_macs_default + sshd_macs_extra) | join(',') }} PasswordAuthentication {{ sshd_password_authentication | ternary('yes', 'no') }} PermitRootLogin {{ sshd_permit_root_login | ternary('yes', 'no') }} PrintLastLog {{ sshd_print_last_log | ternary('yes', 'no') }} From 852f45ca05328d6e96390a68232ad6269a53a954 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Fri, 27 Jan 2017 19:55:45 -0700 Subject: [PATCH 156/292] Use client alive messages instead of TCP keepalive messages The TCP keepalive option enabled by TCPKeepAlive is spoofable. --- roles/sshd/defaults/main.yml | 4 +++- roles/sshd/templates/sshd_config.j2 | 1 + 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/roles/sshd/defaults/main.yml b/roles/sshd/defaults/main.yml index 994dd302f7..3a165dd033 100644 --- a/roles/sshd/defaults/main.yml +++ b/roles/sshd/defaults/main.yml @@ -21,6 +21,8 @@ sshd_ciphers_default: sshd_ciphers_extra: [] +sshd_client_alive_interval: 600 + sshd_host_keys: - /etc/ssh/ssh_host_ed25519_key - /etc/ssh/ssh_host_rsa_key @@ -49,6 +51,6 @@ sshd_permit_root_login: true sshd_print_last_log: false sshd_print_motd: false sshd_subsystem: sftp internal-sftp -sshd_tcp_keep_alive: true +sshd_tcp_keep_alive: false sshd_use_pam: true sshd_x11_forwarding: false diff --git a/roles/sshd/templates/sshd_config.j2 b/roles/sshd/templates/sshd_config.j2 index 11d87f28a3..f37f591647 100644 --- a/roles/sshd/templates/sshd_config.j2 +++ b/roles/sshd/templates/sshd_config.j2 @@ -13,6 +13,7 @@ Protocol {{ sshd_protocol }} AcceptEnv {{ sshd_accept_env | join(' ') }} ChallengeResponseAuthentication {{ sshd_challenge_response_authentication | ternary('yes', 'no') }} Ciphers {{ (sshd_ciphers_default + sshd_ciphers_extra) | join(',') }} +ClientAliveInterval {{ sshd_client_alive_interval }} {% for key in sshd_host_keys %} HostKey {{ key }} {% endfor %} From 217bbe5dd73f121584caabe6245cb12cd64caed7 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sat, 28 Jan 2017 18:34:13 -0700 Subject: [PATCH 157/292] Add additional helpful sshd params --- roles/sshd/defaults/main.yml | 9 +++++++++ roles/sshd/templates/sshd_config.j2 | 4 ++++ 2 files changed, 13 insertions(+) diff --git a/roles/sshd/defaults/main.yml b/roles/sshd/defaults/main.yml index 3a165dd033..d9625a25b2 100644 --- a/roles/sshd/defaults/main.yml +++ b/roles/sshd/defaults/main.yml @@ -9,6 +9,9 @@ sshd_protocol: 2 sshd_accept_env: [] +sshd_address_family: inet +sshd_allow_agent_forwarding: true +sshd_allow_tcp_forwarding: false sshd_challenge_response_authentication: false sshd_ciphers_default: @@ -22,6 +25,7 @@ sshd_ciphers_default: sshd_ciphers_extra: [] sshd_client_alive_interval: 600 +sshd_debian_banner: false sshd_host_keys: - /etc/ssh/ssh_host_ed25519_key @@ -52,5 +56,10 @@ sshd_print_last_log: false sshd_print_motd: false sshd_subsystem: sftp internal-sftp sshd_tcp_keep_alive: false + +# PAM authentication enabled to avoid Debian bug with openssh-server. +# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=751636 +# can change to `false` once Canonical Main repository includes openssh 1:7.2p2-6 sshd_use_pam: true + sshd_x11_forwarding: false diff --git a/roles/sshd/templates/sshd_config.j2 b/roles/sshd/templates/sshd_config.j2 index f37f591647..47d7411faa 100644 --- a/roles/sshd/templates/sshd_config.j2 +++ b/roles/sshd/templates/sshd_config.j2 @@ -11,9 +11,13 @@ ListenAddress {{ address }} Protocol {{ sshd_protocol }} AcceptEnv {{ sshd_accept_env | join(' ') }} +AddressFamily {{ sshd_address_family }} +AllowAgentForwarding {{ sshd_allow_agent_forwarding | ternary('yes', 'no') }} +AllowTcpForwarding {{ sshd_allow_tcp_forwarding | ternary('yes', 'no') }} ChallengeResponseAuthentication {{ sshd_challenge_response_authentication | ternary('yes', 'no') }} Ciphers {{ (sshd_ciphers_default + sshd_ciphers_extra) | join(',') }} ClientAliveInterval {{ sshd_client_alive_interval }} +DebianBanner {{ sshd_debian_banner | ternary('yes', 'no') }} {% for key in sshd_host_keys %} HostKey {{ key }} {% endfor %} From 11ea96fa2407399348ef70f462bc6f81236378cc Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Fri, 27 Jan 2017 20:14:09 -0700 Subject: [PATCH 158/292] Apply Trellis coding conventions to sshd role tasks --- roles/sshd/handlers/main.yml | 4 +++- roles/sshd/tasks/main.yml | 17 ++++++++++------- 2 files changed, 13 insertions(+), 8 deletions(-) diff --git a/roles/sshd/handlers/main.yml b/roles/sshd/handlers/main.yml index b04a143ca4..822887e31b 100644 --- a/roles/sshd/handlers/main.yml +++ b/roles/sshd/handlers/main.yml @@ -1,3 +1,5 @@ --- - name: restart ssh - service: name=ssh state=restarted \ No newline at end of file + service: + name: ssh + state: restarted diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml index 8ddd1003d9..3f47ade9bc 100644 --- a/roles/sshd/tasks/main.yml +++ b/roles/sshd/tasks/main.yml @@ -1,16 +1,19 @@ --- -- name: ensure ssh server is installed +- name: Ensure latest SSH server and client are installed apt: - pkg: openssh-server + pkg: "{{ item }}" state: latest update_cache: true cache_valid_time: "{{ apt_cache_valid_time }}" - notify: - - restart ssh + with_items: + - openssh-server + - openssh-client + notify: restart ssh -- name: ensure sshd is configured +- name: Create a secure sshd_config template: src: sshd_config.j2 dest: /etc/ssh/sshd_config - notify: - - restart ssh + mode: 0600 + validate: '/usr/sbin/sshd -T -f %s' + notify: restart ssh From b60d7c2ac8e5a10d555016fd991cb89fe737f5d7 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Fri, 27 Jan 2017 20:30:01 -0700 Subject: [PATCH 159/292] Create ssh_config as part of sshd role --- roles/sshd/defaults/main.yml | 24 ++++++++++++++++++++++++ roles/sshd/tasks/main.yml | 6 ++++++ roles/sshd/templates/ssh_config.j2 | 21 +++++++++++++++++++++ 3 files changed, 51 insertions(+) create mode 100644 roles/sshd/templates/ssh_config.j2 diff --git a/roles/sshd/defaults/main.yml b/roles/sshd/defaults/main.yml index d9625a25b2..ff4e89b78e 100644 --- a/roles/sshd/defaults/main.yml +++ b/roles/sshd/defaults/main.yml @@ -1,4 +1,6 @@ --- +# sshd_config +# ---------------------------- sshd_ports: - 22 @@ -63,3 +65,25 @@ sshd_tcp_keep_alive: false sshd_use_pam: true sshd_x11_forwarding: false + + +# ssh_config +# ---------------------------- +ssh_port: 22 +ssh_compression: true +ssh_gssapi_authentication: false + +ssh_host_key_algorithms: + - ssh-ed25519-cert-v01@openssh.com + - ssh-rsa-cert-v01@openssh.com + - ssh-ed25519 + - ssh-rsa + +ssh_identity_files: + - ~/.ssh/id_ed25519 + - ~/.ssh/id_rsa + +ssh_send_env: [] + +ssh_strict_host_key_checking: ask +ssh_use_roaming: false diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml index 3f47ade9bc..0d4c2b5b99 100644 --- a/roles/sshd/tasks/main.yml +++ b/roles/sshd/tasks/main.yml @@ -17,3 +17,9 @@ mode: 0600 validate: '/usr/sbin/sshd -T -f %s' notify: restart ssh + +- name: Create a secure ssh_config + template: + src: ssh_config.j2 + dest: /etc/ssh/ssh_config + mode: 0644 diff --git a/roles/sshd/templates/ssh_config.j2 b/roles/sshd/templates/ssh_config.j2 new file mode 100644 index 0000000000..1d8162b37e --- /dev/null +++ b/roles/sshd/templates/ssh_config.j2 @@ -0,0 +1,21 @@ +# {{ ansible_managed }} + +Host * + Port {{ ssh_port }} + Protocol {{ ssh_protocol | default(sshd_protocol) }} + + AddressFamily {{ ssh_address_family | default(sshd_address_family) }} + ChallengeResponseAuthentication {{ ssh_challenge_response_authentication | default(sshd_challenge_response_authentication) | ternary('yes', 'no') }} + Ciphers {{ (ssh_ciphers_default | default(sshd_ciphers_default) + ssh_ciphers_extra | default(sshd_ciphers_extra)) | join(',') }} + Compression {{ ssh_compression | ternary('yes', 'no') }} + GSSAPIAuthentication {{ ssh_gssapi_authentication | ternary('yes', 'no') }} + HostKeyAlgorithms {{ ssh_host_key_algorithms | join(',') }} + {% for file in ssh_identity_files -%} + IdentityFile {{ file }} + {% endfor -%} + KexAlgorithms {{ (ssh_kex_algorithms_default | default(sshd_kex_algorithms_default) + ssh_kex_algorithms_extra | default(sshd_kex_algorithms_extra)) | join(',') }} + MACs {{ (ssh_macs_default | default(sshd_macs_default) + ssh_macs_extra | default(sshd_macs_extra)) | join(',') }} + PasswordAuthentication {{ ssh_password_authentication | default(sshd_password_authentication) | ternary('yes', 'no') }} + SendEnv {{ ssh_send_env | join(' ') }} + StrictHostKeyChecking {{ ssh_strict_host_key_checking }} + UseRoaming {{ ssh_use_roaming | ternary('yes','no') }} From 69659b7b6365451cdc44380f30f13cbea410a54f Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sat, 28 Jan 2017 12:52:54 -0700 Subject: [PATCH 160/292] Enable template inheritance for sshd_config and ssh_config --- roles/sshd/defaults/main.yml | 3 +++ roles/sshd/tasks/main.yml | 4 ++-- roles/sshd/templates/ssh_config.j2 | 2 ++ roles/sshd/templates/sshd_config.j2 | 2 ++ 4 files changed, 9 insertions(+), 2 deletions(-) diff --git a/roles/sshd/defaults/main.yml b/roles/sshd/defaults/main.yml index ff4e89b78e..d5a2fe501e 100644 --- a/roles/sshd/defaults/main.yml +++ b/roles/sshd/defaults/main.yml @@ -1,6 +1,8 @@ --- # sshd_config # ---------------------------- +sshd_config: sshd_config.j2 + sshd_ports: - 22 @@ -69,6 +71,7 @@ sshd_x11_forwarding: false # ssh_config # ---------------------------- +ssh_config: ssh_config.j2 ssh_port: 22 ssh_compression: true ssh_gssapi_authentication: false diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml index 0d4c2b5b99..326241e1de 100644 --- a/roles/sshd/tasks/main.yml +++ b/roles/sshd/tasks/main.yml @@ -12,7 +12,7 @@ - name: Create a secure sshd_config template: - src: sshd_config.j2 + src: "{{ sshd_config }}" dest: /etc/ssh/sshd_config mode: 0600 validate: '/usr/sbin/sshd -T -f %s' @@ -20,6 +20,6 @@ - name: Create a secure ssh_config template: - src: ssh_config.j2 + src: "{{ ssh_config }}" dest: /etc/ssh/ssh_config mode: 0644 diff --git a/roles/sshd/templates/ssh_config.j2 b/roles/sshd/templates/ssh_config.j2 index 1d8162b37e..a21eee8c8f 100644 --- a/roles/sshd/templates/ssh_config.j2 +++ b/roles/sshd/templates/ssh_config.j2 @@ -1,5 +1,6 @@ # {{ ansible_managed }} +{% block main %} Host * Port {{ ssh_port }} Protocol {{ ssh_protocol | default(sshd_protocol) }} @@ -19,3 +20,4 @@ Host * SendEnv {{ ssh_send_env | join(' ') }} StrictHostKeyChecking {{ ssh_strict_host_key_checking }} UseRoaming {{ ssh_use_roaming | ternary('yes','no') }} +{% endblock %} diff --git a/roles/sshd/templates/sshd_config.j2 b/roles/sshd/templates/sshd_config.j2 index 47d7411faa..228c3d5a59 100644 --- a/roles/sshd/templates/sshd_config.j2 +++ b/roles/sshd/templates/sshd_config.j2 @@ -1,5 +1,6 @@ # {{ ansible_managed }} +{% block main %} {% for port in sshd_ports %} Port {{ port }} {% endfor -%} @@ -32,3 +33,4 @@ Subsystem {{ sshd_subsystem }} TCPKeepAlive {{ sshd_tcp_keep_alive | ternary('yes', 'no') }} UsePAM {{ sshd_use_pam | ternary('yes', 'no') }} X11Forwarding {{ sshd_x11_forwarding | ternary('yes', 'no') }} +{% endblock %} From c0b001d77525c19f3d0310eb1d35b2654e22addd Mon Sep 17 00:00:00 2001 From: RiFi2k Date: Sat, 28 Jan 2017 16:53:40 -0700 Subject: [PATCH 161/292] Remove insecure lines from moduli file --- roles/sshd/tasks/main.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml index 326241e1de..3fa0bcb6c8 100644 --- a/roles/sshd/tasks/main.yml +++ b/roles/sshd/tasks/main.yml @@ -23,3 +23,10 @@ src: "{{ ssh_config }}" dest: /etc/ssh/ssh_config mode: 0644 + +- name: Remove Diffie-Hellman moduli of size < 2000 + lineinfile: + backup: yes + dest: /etc/ssh/moduli + regexp: ^(\d+\s){4}1 + state: absent From ec5c76832ef53389572f808116f93f3e8d110c09 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Tue, 31 Jan 2017 17:47:07 -0700 Subject: [PATCH 162/292] Validate compatible settings between SSH client and server --- roles/common/defaults/main.yml | 6 ++++ roles/common/tasks/main.yml | 20 ++++++++++++++ roles/common/templates/validate_ssh_msg.j2 | 32 ++++++++++++++++++++++ 3 files changed, 58 insertions(+) create mode 100644 roles/common/templates/validate_ssh_msg.j2 diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index c92cf2684e..af88629f6f 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -18,3 +18,9 @@ apt_packages_default: apt_packages_custom: [] apt_packages_install: "{{ apt_packages_default + apt_packages_custom }}" + +overlapping_ciphers: "[{% for cipher in (sshd_ciphers_default + sshd_ciphers_extra) if cipher in ssh_client_ciphers %}'{{ cipher }}',{% endfor %}]" +overlapping_kex: "[{% for kex in (sshd_kex_algorithms_default + sshd_kex_algorithms_extra) if kex in ssh_client_kex %}'{{ kex }}',{% endfor %}]" +overlapping_macs: "[{% for mac in (sshd_macs_default + sshd_macs_extra) if mac in ssh_client_macs %}'{{ mac }}',{% endfor %}]" +host_key_types: "[{% for path in sshd_host_keys %}'{{ path | regex_replace('/etc/ssh/ssh_host_(.+)_key', '\\1') | regex_replace('dsa', 'ssh-dss')}}',{% endfor %}]" +overlapping_host_keys: "{% for key in host_key_types if key in ssh_client_host_key_algorithms %}{{ key }},{% endfor %}" diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 6260b0dd29..9226e86308 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -44,6 +44,26 @@ when: env != 'development' and darwin_without_passlib | default(false) run_once: true +- name: Retrieve local SSH client's settings per host + set_fact: + ssh_client_ciphers: "{{ lookup('pipe', 'ssh -ttG ' + ansible_host + ' | grep ciphers') }}" + ssh_client_kex: "{{ lookup('pipe', 'ssh -ttG ' + ansible_host + ' | grep kexalgorithms') }}" + ssh_client_macs: "{{ lookup('pipe', 'ssh -ttG ' + ansible_host + ' | grep macs') }}" + ssh_client_host_key_algorithms: "{{ lookup('pipe', 'ssh -ttG ' + ansible_host + ' | grep hostkeyalgorithms') }}" + when: validate_ssh | default(true) + tags: [sshd] + +- name: Validate compatible settings between SSH client and server + assert: + that: + - overlapping_ciphers | count + - overlapping_kex | count + - overlapping_macs | count + - overlapping_host_keys | count + msg: "{{ lookup('template', 'validate_ssh_msg.j2') }}" + when: validate_ssh | default(true) + tags: [sshd] + - name: Checking essentials apt: name: "{{ item }}" diff --git a/roles/common/templates/validate_ssh_msg.j2 b/roles/common/templates/validate_ssh_msg.j2 new file mode 100644 index 0000000000..6d49d95aef --- /dev/null +++ b/roles/common/templates/validate_ssh_msg.j2 @@ -0,0 +1,32 @@ +{% macro msg(param_name, ssh_client_values, sshd_config_values, overlap_values, param_var_name) %} +{% if not overlap_values | count %} +{{ param_name }} your SSH Client is making available for {{ ansible_host }}: +{% for item in ssh_client_values.replace(' ',',').split(',') if item != param_name | lower %} + - {{ item }} +{% endfor %} + +{{ (param_name != 'HostKeyAlgorithms') | ternary(param_name, 'HostKeys') }} the host {{ ansible_host }} will accept/use after sshd role: +{% for item in sshd_config_values %} + - {{ item }} +{% endfor %} + +Create a corresponding value between the two. Adjust either of the following: + - your SSH client's {{ param_name }} option (recommended) + - the `{{ param_var_name }}` Trellis variable + +--------------------------------------------------- + +{% endif %} +{% endmacro -%} + +Your local SSH client settings will not support the settings that the sshd role will apply to the SSH server (on {{ ansible_host }}). + +See https://github.com/roots/trellis/tree/master/roles/sshd#ciphers-kexalgorithms-and-macs +--------------------------------------------------- + +{{ msg('Ciphers', ssh_client_ciphers, sshd_ciphers_default + sshd_ciphers_extra, overlapping_ciphers, 'sshd_ciphers_extra') -}} +{{ msg('KexAlgorithms', ssh_client_kex, sshd_kex_algorithms_default + sshd_kex_algorithms_extra, overlapping_kex, 'sshd_kex_algorithms_extra') -}} +{{ msg('MACs', ssh_client_macs, sshd_macs_default + sshd_macs_extra, overlapping_macs, 'sshd_macs_extra') -}} +{{ msg('HostKeyAlgorithms', ssh_client_host_key_algorithms, sshd_host_keys, overlapping_host_keys, 'sshd_host_keys') -}} + +To disable this validation and warning, define `validate_ssh: false` From 46fc62abc8a8586d4d15972ce967df5d8345075b Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sat, 28 Jan 2017 15:04:09 -0700 Subject: [PATCH 163/292] Update sshd role README --- CHANGELOG.md | 1 + roles/sshd/README.md | 196 +++++++++++++++++++++++++++++++------------ 2 files changed, 145 insertions(+), 52 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5ccebe6b22..1e3535567a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* [BREAKING] Use more secure sshd defaults ([#744](https://github.com/roots/trellis/pull/744)) * Add basic git repo host keys to `known_hosts` ([#751](https://github.com/roots/trellis/pull/751)) * Accommodate template inheritance for nginx confs ([#740](https://github.com/roots/trellis/pull/740)) * Add `apt_packages_custom` to customize Apt packages ([#735](https://github.com/roots/trellis/pull/735)) diff --git a/roles/sshd/README.md b/roles/sshd/README.md index 97d3228920..f6d27bdcb6 100644 --- a/roles/sshd/README.md +++ b/roles/sshd/README.md @@ -1,56 +1,148 @@ -## What is ansible-sshd? - -It is an [ansible](http://www.ansible.com/home) role to install openssh-server and configure it. - -### What problem does it solve and why is it useful? - -Often times you want to disable root logins and password based logins. This role sets those options by default but it also exposes every config value found in the default ubuntu 14.04 `sshd_config` file. - -## Role variables - -Below is a list of default values along with a description of what they do. - -``` -# To view what these commands do, check out: -# http://www.openssh.com/cgi-bin/man.cgi?query=sshd_config - -sshd_port: 22 -sshd_listen_address: 0.0.0.0 -sshd_protocol: 2 -sshd_host_rsa_key: /etc/ssh/ssh_host_rsa_key -sshd_host_dsa_key: /etc/ssh/ssh_host_dsa_key -sshd_host_ecdsa_key: /etc/ssh/ssh_host_ecdsa_key -sshd_use_privilege_separation: true -sshd_key_regeneration_interval: 3600 -sshd_server_key_bits: 768 -sshd_syslog_facility: AUTH -sshd_log_level: INFO -sshd_login_grace_time: 120 -sshd_permit_root_login: true -sshd_strict_modes: true -sshd_rsa_authentication: true -sshd_pubkey_authentication: true -sshd_authorized_keys_file: "%h/.ssh/authorized_keys" -sshd_ignore_rhosts: true -sshd_rhosts_rsa_authentication: false -sshd_host_based_authentication: false -sshd_ignore_user_known_hosts: false -sshd_permit_empty_passwords: false -sshd_challenge_response_authentication: false -sshd_password_authentication: false -sshd_gss_api_authentication: false -sshd_gss_api_cleanup_credentials: true -sshd_x11_forwarding: true -sshd_x11_display_offset: 10 -sshd_print_motd: false -sshd_print_last_log: true -sshd_tcp_keep_alive: true -sshd_max_startups: 10:30:100 -sshd_banner: none -sshd_accept_env: LANG LC_* -sshd_subsystem: sftp /usr/lib/openssh/sftp-server -sshd_use_pam: true +The `sshd` role creates the following two configuration files on the server, setting secure defaults. + +* SSH server: `/etc/ssh/sshd_config` +* SSH client: `/etc/ssh/ssh_config` + +## Open a backup SSH connection + +When you modify SSH settings, you risk creating a configuration that blocks your future access. As a precaution, open a backup SSH connection in a second terminal before running the `sshd` role. Use this backup connection to resolve any configuration problems you encounter. Keep the connection active until you are confident your revised SSH configuration will allow you future access. + +``` +ssh -o ServerAliveInterval=60 root@12.34.56.78 +``` + +The `ServerAliveInterval` option causes your SSH client to periodically send the server messages that the connection is still alive. This helps prevent the server or your NAT router from pruning the connection as stale. If you are using PuTTY or WinSCP, change the "Seconds between keepalives" to 60. + +## Full configuration + +To keep the files as simple as possible, options are omitted if their system defaults are secure and broadly applicable. You may see the full and active configuration by running the following commands on your server. + +* SSH server (`sshd_config`): `sshd -T` +* SSH client (`ssh_config`): `ssh -G example.com` + +There are [resources](#resources) for understanding each option. + +## Customize via variables + +You may redefine any variable found in `templates/sshd_config.j2` or `templates/ssh_config.j2`. The default settings are viewable in `defaults/main.yml`. To override a setting, you could redefine your chosen variable in a file such as `group_vars/all/main.yml` or `group_vars/all/security.yml`. If you don't find a variable for the setting you need to change, you may need to [customize via child templates](#customize-via-child-templates). + +### Basic variable override + +Suppose you want your SSH server to `AcceptEnv`, whereas the Trellis default does not accept any env variables. You could find the relevant variable name in `templates/sshd_config.j2` or in `defaults/main.yml`, then redefine that variable in `group_vars/all/main.yml`. In this example, the relevant variable is `sshd_accept_env` and is formatted as a list. + +``` +# group_vars/all/main.yml + +sshd_accept_env: + - LANG + - LC_* +``` + +You may notice that `templates/ssh_config.j2` references some `ssh_` variables that are not included in `defaults/main.yml` and that default to a `sshd_` variable. Here is an example: +``` +AddressFamily {{ ssh_address_family | default(sshd_address_family) }} +``` +This pattern spares `defaults/main.yml` from having repetitious `ssh` and `sshd` definitions for all settings. You may still define custom values for any `ssh_` in your `group_vars` files. + +### `Ciphers`, `KexAlgorithms`, and `MACs` + +The variables for `Ciphers`, `KexAlgorithms`, and `MACs` are split into `_default` and `_extra` (e.g., `sshd_macs_default` and `sshd_macs_extra`). The `_default` contains a list you will probably not need to change. You may use `_extra` to supplement the default lists. SSH connections involving older systems may require some of the less secure options below. + +``` +# group_vars/all/security.yml + +# Allow CBC mode ciphers (less secure) +sshd_ciphers_extra: + - aes256-cbc + - aes192-cbc + - aes128-cbc + +# Accommodate older systems by allowing weaker kex algorithms (less secure) +sshd_kex_algorithms_extra: + - diffie-hellman-group14-sha1 + - diffie-hellman-group-exchange-sha1 + - diffie-hellman-group1-sha1 + +# Accommodate older systems by allowing weaker MACs (less secure) +sshd_macs_extra: + - umac-128@openssh.com + - hmac-sha1 +``` + +## Customize via child templates + +If you can't [customize via variables](#customize-via-variables) because the template doesn't include a variable for the setting you want to change, first check the [full configuration](#full-configuration) to verify that the default in effect is not what you want. If you need to make a change, you may create a child template to override the default template. + +Create your child templates following the [Jinja template inheritance](http://jinja.pocoo.org/docs/latest/templates/#template-inheritance) docs and the guidelines below. + + +### Designate a child template + +Use the `sshd_config` and `ssh_config` variables to inform Trellis of the child templates you have created. Below is an example of designating child templates in a new `templates` directory in your Trellis project root (e.g., next to the `server.yml` playbook). + +``` +# group_vars/all/main.yml + +sshd_config: "{{ playbook_dir }}/templates/sshd_config.j2" +ssh_config: "{{ playbook_dir }}/templates/ssh_config.j2" +``` + +### Create a child template + +Create your child templates at the paths you designated in the `sshd_config` and `ssh_config` variables described above. [Child templates](http://jinja.pocoo.org/docs/latest/templates/#child-template) must include two elements: + +* an `{% extends 'base_template' %}` statement +* one or more `{% block block_name %}` blocks + +The path for your base template – referenced in your `extends` statement – must be relative to the `server.yml` playbook (i.e., relative to the Trellis root directory). See the examples below. + +Here is an example child template that adds some sftp settings to the end of the `sshd_config`. + +``` +# templates/sshd_config.j2 + +{% extends 'roles/sshd/templates/sshd_config.j2' %} + +{% block main %} +{{ super() }} +Match Group sftponly +AllowAgentForwarding no +ChrootDirectory /home/%u +ForceCommand internal-sftp +PermitRootLogin no +{%- endblock %} ``` +The [`{{ super() }}`](http://jinja.pocoo.org/docs/latest/templates/#super-blocks) Jinja2 function returns the original block content from the base template, and can be omitted if you don't want to include the original content. + +Here is an example child template that adds host-specific SSH options at the beginning of `ssh_config`. + +``` +# templates/ssh_config.j2 + +{% extends 'roles/sshd/templates/ssh_config.j2' %} + +{% block main %} +# Host-specific configuration +Host example.com example2.com + Port 2222 + ForwardAgent yes + +# Global defaults for all Hosts +{{ super() }} +{%- endblock %} +``` + +## Troubleshooting + +See the Trellis docs for [troubleshooting SSH connections](https://roots.io/trellis/docs/troubleshooting/#ssh-connections). + +## Resources + +* Ubuntu manpage for [sshd_config](http://manpages.ubuntu.com/manpages/xenial/en/man5/sshd_config.5.html) +* Ubuntu manpage for [ssh_config](http://manpages.ubuntu.com/manpages/xenial/en/man5/ssh_config.5.html) +* stribika's [Secure Secure Shell](https://stribika.github.io/2015/01/04/secure-secure-shell.html) post +* MozillaWiki's [security guidelines for OpenSSH](https://wiki.mozilla.org/Security/Guidelines/OpenSSH) +* bettercrypto.org's [Applied Crypto Hardening](https://bettercrypto.org/static/applied-crypto-hardening.pdf) ## Attribution From e2dbf728ff87e69756f361c3485973c0c9144126 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Wed, 4 Jan 2017 01:10:42 -0700 Subject: [PATCH 164/292] Require Ansible 2.2 for better SSH error output --- CHANGELOG.md | 1 + README.md | 2 +- roles/common/defaults/main.yml | 4 +--- roles/common/handlers/main.yml | 3 +-- roles/common/tasks/reload_nginx.yml | 3 +-- 5 files changed, 5 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1e3535567a..5ab58e7795 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Require Ansible 2.2.0.0 or greater ([#726](https://github.com/roots/trellis/pull/726)) * [BREAKING] Use more secure sshd defaults ([#744](https://github.com/roots/trellis/pull/744)) * Add basic git repo host keys to `known_hosts` ([#751](https://github.com/roots/trellis/pull/751)) * Accommodate template inheritance for nginx confs ([#740](https://github.com/roots/trellis/pull/740)) diff --git a/README.md b/README.md index 2f340b6d2c..feefe932eb 100644 --- a/README.md +++ b/README.md @@ -31,7 +31,7 @@ Trellis will configure a server with the following and more: Make sure all dependencies have been installed before moving on: -* [Ansible](http://docs.ansible.com/ansible/intro_installation.html#latest-releases-via-pip) >= 2.0.2 (except 2.1.0) +* [Ansible](http://docs.ansible.com/ansible/intro_installation.html#latest-releases-via-pip) >= 2.2 * [Virtualbox](https://www.virtualbox.org/wiki/Downloads) >= 4.3.10 * [Vagrant](https://www.vagrantup.com/downloads.html) >= 1.8.5 * [vagrant-bindfs](https://github.com/gael-ian/vagrant-bindfs#installation) >= 0.3.1 (Windows users may skip this) diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index af88629f6f..c50b870a77 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -1,8 +1,6 @@ ansible_requirements: - - version: 2.0.2.0 + - version: 2.2.0.0 operator: '>=' - - version: 2.1.0.0 - operator: '!=' ntp_timezone: Etc/UTC diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index c5051bd403..bac2a61ba3 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -12,5 +12,4 @@ name: php7.1-fpm state: reloaded -- name: reload nginx - include: reload_nginx.yml +- include: reload_nginx.yml diff --git a/roles/common/tasks/reload_nginx.yml b/roles/common/tasks/reload_nginx.yml index c0af12e9c1..952a6082e0 100644 --- a/roles/common/tasks/reload_nginx.yml +++ b/roles/common/tasks/reload_nginx.yml @@ -1,8 +1,7 @@ --- - name: reload nginx command: nginx -t - register: nginx_test - notify: "{{ (ansible_version.full | version_compare('2.1.1.0', '>=') and role_path | basename == 'common') | ternary('perform nginx reload', omit) }}" + notify: "{{ (role_path | basename == 'common') | ternary('perform nginx reload', omit) }}" - name: perform nginx reload service: From 8e4919a7a874ff53f48b9c5695df4594454028c7 Mon Sep 17 00:00:00 2001 From: Jon Gilkison Date: Wed, 15 Feb 2017 12:07:55 +0700 Subject: [PATCH 165/292] Parallels tools MUST BE installed first time that vagrant is run. --- Vagrantfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Vagrantfile b/Vagrantfile index 6c9434c300..192a86cb7f 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -148,6 +148,7 @@ Vagrant.configure('2') do |config| config.vm.provider 'parallels' do |prl, override| prl.name = config.vm.hostname prl.cpus = cpus + prl.update_guest_tools = true prl.memory = memory end From b270f743cf7137c8d0dc11b1fb4c7e66f34baa4f Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Tue, 14 Feb 2017 23:07:00 -0700 Subject: [PATCH 166/292] Fix formatting of set_fact for ansible_become_pass --- CHANGELOG.md | 1 + roles/remote-user/tasks/main.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5ab58e7795..d71a0d50e7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Fix formatting of `set_fact` for `ansible_become_pass` ([#758](https://github.com/roots/trellis/pull/758)) * Require Ansible 2.2.0.0 or greater ([#726](https://github.com/roots/trellis/pull/726)) * [BREAKING] Use more secure sshd defaults ([#744](https://github.com/roots/trellis/pull/744)) * Add basic git repo host keys to `known_hosts` ([#751](https://github.com/roots/trellis/pull/751)) diff --git a/roles/remote-user/tasks/main.yml b/roles/remote-user/tasks/main.yml index 182273a884..7da78f8505 100644 --- a/roles/remote-user/tasks/main.yml +++ b/roles/remote-user/tasks/main.yml @@ -24,6 +24,6 @@ - name: Load become password set_fact: - ansible_become_pass: "{% for user in vault_users | default([]) if user.name == ansible_user %}{{ '{% raw %}' }}{{ user.password | default('') }}{{ '{% endraw %}' }}{% endfor %}" + ansible_become_pass: "{% raw %}{% for user in vault_users | default([]) if user.name == ansible_user %}{{ user.password | default('') }}{% endfor %}{% endraw %}" when: ansible_user != 'root' and not cli_ask_become_pass | default(false) and ansible_become_pass is not defined no_log: true From 5f5b92669e76f33e0a244fdb0c86c122ec79d585 Mon Sep 17 00:00:00 2001 From: Nathaniel Date: Wed, 15 Feb 2017 09:20:26 -0800 Subject: [PATCH 167/292] add DOMAIN_CURRENT_SITE to .env (#760) --- CHANGELOG.md | 1 + deploy.yml | 1 + group_vars/all/helpers.yml | 1 + 3 files changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d71a0d50e7..f85e25b4c4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Add DOMAIN_CURRENT_SITE to default env variables ([#760](https://github.com/roots/trellis/pull/760)) * Fix formatting of `set_fact` for `ansible_become_pass` ([#758](https://github.com/roots/trellis/pull/758)) * Require Ansible 2.2.0.0 or greater ([#726](https://github.com/roots/trellis/pull/726)) * [BREAKING] Use more secure sshd defaults ([#744](https://github.com/roots/trellis/pull/744)) diff --git a/deploy.yml b/deploy.yml index 39b2fc57f0..0e6f1efa39 100644 --- a/deploy.yml +++ b/deploy.yml @@ -21,6 +21,7 @@ wp_env: "{{ env }}" wp_home: "{{ project.ssl.enabled | default(false) | ternary('https', 'http') }}://{{ project.site_hosts | map(attribute='canonical') | first }}" wp_siteurl: "{{ project.ssl.enabled | default(false) | ternary('https', 'http') }}://{{ project.site_hosts | map(attribute='canonical') | first }}/wp" + domain_current_site: "{{ project.site_hosts | map(attribute='canonical') | first }}" site_env: "{{ wordpress_env_defaults | combine(project.env | default({}), vault_wordpress_sites[site].env) }}" project_local_path: "{{ (lookup('env', 'USER') == 'vagrant') | ternary(project_root + '/' + project_current_path, project.local_path) }}" diff --git a/group_vars/all/helpers.yml b/group_vars/all/helpers.yml index ab9c007cc2..e8dd9325aa 100644 --- a/group_vars/all/helpers.yml +++ b/group_vars/all/helpers.yml @@ -7,6 +7,7 @@ wordpress_env_defaults: wp_env: "{{ env }}" wp_home: "{{ ssl_enabled | ternary('https', 'http') }}://{{ site_hosts_canonical | first }}" wp_siteurl: "{{ ssl_enabled | ternary('https', 'http') }}://{{ site_hosts_canonical | first }}/wp" + domain_current_site: "{{ site_hosts_canonical | first }}" site_env: "{{ wordpress_env_defaults | combine(item.value.env | default({}), vault_wordpress_sites[item.key].env) }}" site_hosts_canonical: "{{ item.value.site_hosts | map(attribute='canonical') | list }}" From bd8620a855e5f3f2d9492e5a7c6749d12412e940 Mon Sep 17 00:00:00 2001 From: Nathaniel Date: Wed, 15 Feb 2017 09:20:48 -0800 Subject: [PATCH 168/292] Update wp-cli to 1.1.0 (#759) --- CHANGELOG.md | 1 + roles/wp-cli/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f85e25b4c4..a9364d4bef 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Update WP-CLI to 1.1.0 ([#759](https://github.com/roots/trellis/pull/759)) * Add DOMAIN_CURRENT_SITE to default env variables ([#760](https://github.com/roots/trellis/pull/760)) * Fix formatting of `set_fact` for `ansible_become_pass` ([#758](https://github.com/roots/trellis/pull/758)) * Require Ansible 2.2.0.0 or greater ([#726](https://github.com/roots/trellis/pull/726)) diff --git a/roles/wp-cli/defaults/main.yml b/roles/wp-cli/defaults/main.yml index 593f2cd4be..8ed1442c7e 100644 --- a/roles/wp-cli/defaults/main.yml +++ b/roles/wp-cli/defaults/main.yml @@ -1,4 +1,4 @@ -wp_cli_version: 1.0.0 +wp_cli_version: 1.1.0 wp_cli_bin_path: /usr/bin/wp wp_cli_phar_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar" wp_cli_completion_url: "https://raw.githubusercontent.com/wp-cli/wp-cli/v{{ wp_cli_version }}/utils/wp-completion.bash" From 5482cf9f9c23b104c8fe8e588b9b181333db9771 Mon Sep 17 00:00:00 2001 From: Nathaniel Date: Wed, 15 Feb 2017 09:41:53 -0800 Subject: [PATCH 169/292] Add ability to pass extra parameters to bin/deploy.sh (#748) --- CHANGELOG.md | 1 + bin/deploy.sh | 21 +++++++++++++++------ 2 files changed, 16 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a9364d4bef..9655e46b15 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Forward extra bin/deploy.sh parameters to ansible-playbook ([#748](https://github.com/roots/trellis/pull/748)) * Update WP-CLI to 1.1.0 ([#759](https://github.com/roots/trellis/pull/759)) * Add DOMAIN_CURRENT_SITE to default env variables ([#760](https://github.com/roots/trellis/pull/760)) * Fix formatting of `set_fact` for `ansible_become_pass` ([#758](https://github.com/roots/trellis/pull/758)) diff --git a/bin/deploy.sh b/bin/deploy.sh index c57f6392e2..79d72c37d4 100755 --- a/bin/deploy.sh +++ b/bin/deploy.sh @@ -1,16 +1,15 @@ #!/bin/bash shopt -s nullglob -DEPLOY_CMD="ansible-playbook deploy.yml -e env=$1 -e site=$2" ENVIRONMENTS=( hosts/* ) ENVIRONMENTS=( "${ENVIRONMENTS[@]##*/}" ) -NUM_ARGS=2 show_usage() { - echo "Usage: deploy + echo "Usage: deploy [options] is the environment to deploy to ("staging", "production", etc) is the WordPress site to deploy (name defined in "wordpress_sites") +[options] is any number of parameters that will be passed to ansible-playbook Available environments: `( IFS=$'\n'; echo "${ENVIRONMENTS[*]}" )` @@ -18,15 +17,25 @@ Available environments: Examples: deploy staging example.com deploy production example.com + deploy staging example.com -vv -T 60 " } -HOSTS_FILE="hosts/$1" +[[ $# -lt 2 ]] && { show_usage; exit 0; } -[[ $# -ne $NUM_ARGS || $1 = -h ]] && { show_usage; exit 0; } +for arg +do + [[ $arg = -h ]] && { show_usage; exit 0; } +done + +ENV="$1"; shift +SITE="$1"; shift +EXTRA_PARAMS=$@ +DEPLOY_CMD="ansible-playbook deploy.yml -e env=$ENV -e site=$SITE $EXTRA_PARAMS" +HOSTS_FILE="hosts/$ENV" if [[ ! -e $HOSTS_FILE ]]; then - echo "Error: $1 is not a valid environment ($HOSTS_FILE does not exist)." + echo "Error: $ENV is not a valid environment ($HOSTS_FILE does not exist)." echo echo "Available environments:" ( IFS=$'\n'; echo "${ENVIRONMENTS[*]}" ) From fd5033e75dfee673de61e2c7fef9dd095ab1de82 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Thu, 16 Feb 2017 00:59:29 -0700 Subject: [PATCH 170/292] Enable admin_user to invoke sudo with xdebug-tunnel.yml --- roles/xdebug-tunnel/tasks/main.yml | 1 + xdebug-tunnel.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/roles/xdebug-tunnel/tasks/main.yml b/roles/xdebug-tunnel/tasks/main.yml index 087428970d..b015c11099 100644 --- a/roles/xdebug-tunnel/tasks/main.yml +++ b/roles/xdebug-tunnel/tasks/main.yml @@ -7,6 +7,7 @@ ssh -S '{{ xdebug_tunnel_control_socket }}' -O exit '{{ xdebug_tunnel_control_identity }}' {% endif %} connection: local + become: no register: xdebug_tunnel ignore_errors: true diff --git a/xdebug-tunnel.yml b/xdebug-tunnel.yml index a6cbb5df77..6da907642c 100644 --- a/xdebug-tunnel.yml +++ b/xdebug-tunnel.yml @@ -7,6 +7,7 @@ - name: Enable or Disable Xdebug and SSH Tunnel hosts: "{{ xdebug_tunnel_inventory_host }}" + become: yes roles: - { role: xdebug, tags: [xdebug] } - { role: xdebug-tunnel, tags: [xdebug-tunnel] } From 092464009db2857ab8f7fc10b118858c94249d71 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Fri, 17 Feb 2017 15:43:34 -0700 Subject: [PATCH 171/292] Permit TCP port forwarding for 127.0.0.1:3306 --- roles/sshd/defaults/main.yml | 2 +- roles/sshd/templates/sshd_config.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/sshd/defaults/main.yml b/roles/sshd/defaults/main.yml index d5a2fe501e..205420642a 100644 --- a/roles/sshd/defaults/main.yml +++ b/roles/sshd/defaults/main.yml @@ -15,7 +15,7 @@ sshd_accept_env: [] sshd_address_family: inet sshd_allow_agent_forwarding: true -sshd_allow_tcp_forwarding: false +sshd_allow_tcp_forwarding: local sshd_challenge_response_authentication: false sshd_ciphers_default: diff --git a/roles/sshd/templates/sshd_config.j2 b/roles/sshd/templates/sshd_config.j2 index 228c3d5a59..ffc7e80b3d 100644 --- a/roles/sshd/templates/sshd_config.j2 +++ b/roles/sshd/templates/sshd_config.j2 @@ -14,7 +14,7 @@ Protocol {{ sshd_protocol }} AcceptEnv {{ sshd_accept_env | join(' ') }} AddressFamily {{ sshd_address_family }} AllowAgentForwarding {{ sshd_allow_agent_forwarding | ternary('yes', 'no') }} -AllowTcpForwarding {{ sshd_allow_tcp_forwarding | ternary('yes', 'no') }} +AllowTcpForwarding {{ sshd_allow_tcp_forwarding is string | ternary(sshd_allow_tcp_forwarding, sshd_allow_tcp_forwarding | ternary('yes', 'no')) }} ChallengeResponseAuthentication {{ sshd_challenge_response_authentication | ternary('yes', 'no') }} Ciphers {{ (sshd_ciphers_default + sshd_ciphers_extra) | join(',') }} ClientAliveInterval {{ sshd_client_alive_interval }} From 51f7b72566cf18b2c2653ce0b86e580d5babf6fa Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sun, 19 Feb 2017 14:54:08 -0700 Subject: [PATCH 172/292] Set multisite constants false while checking wp core is-installed Creates php file that defines multisite constants false, then uses the file in `--require` param of task that checks `wp core is-installed`. Prevents `WordPress database error Table 'tablename' doesn't exist` that occurs when WordPress loads with... - constants set true for MULTISITE and SUBDOMAIN_INSTALL - no DB tables --- CHANGELOG.md | 1 + roles/deploy/files/tmp_multisite_constants.php | 4 ++++ roles/deploy/hooks/finalize-after.yml | 7 ++++++- 3 files changed, 11 insertions(+), 1 deletion(-) create mode 100644 roles/deploy/files/tmp_multisite_constants.php diff --git a/CHANGELOG.md b/CHANGELOG.md index 9655e46b15..b162d4b54b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Set multisite constants false while checking `wp core is-installed` ([#766](https://github.com/roots/trellis/pull/766)) * Forward extra bin/deploy.sh parameters to ansible-playbook ([#748](https://github.com/roots/trellis/pull/748)) * Update WP-CLI to 1.1.0 ([#759](https://github.com/roots/trellis/pull/759)) * Add DOMAIN_CURRENT_SITE to default env variables ([#760](https://github.com/roots/trellis/pull/760)) diff --git a/roles/deploy/files/tmp_multisite_constants.php b/roles/deploy/files/tmp_multisite_constants.php new file mode 100644 index 0000000000..13bef1142f --- /dev/null +++ b/roles/deploy/files/tmp_multisite_constants.php @@ -0,0 +1,4 @@ + Date: Mon, 20 Feb 2017 13:56:36 -0800 Subject: [PATCH 173/292] Allow for per-project packagist.com authentication (#762) --- CHANGELOG.md | 1 + roles/deploy/hooks/build-after.yml | 8 ++++++++ roles/wordpress-install/tasks/main.yml | 9 +++++++++ 3 files changed, 18 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index b162d4b54b..e97e076810 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Allow for per-project packagist.com authentication ([#762](https://github.com/roots/trellis/pull/762)) * Set multisite constants false while checking `wp core is-installed` ([#766](https://github.com/roots/trellis/pull/766)) * Forward extra bin/deploy.sh parameters to ansible-playbook ([#748](https://github.com/roots/trellis/pull/748)) * Update WP-CLI to 1.1.0 ([#759](https://github.com/roots/trellis/pull/759)) diff --git a/roles/deploy/hooks/build-after.yml b/roles/deploy/hooks/build-after.yml index d9d5da1c6d..6c8c462984 100644 --- a/roles/deploy/hooks/build-after.yml +++ b/roles/deploy/hooks/build-after.yml @@ -9,6 +9,14 @@ msg: "Unable to find a `composer.json` file in the root of '{{ deploy_helper.new_release_path }}'. Make sure your repo has a `composer.json` file in its root or edit `repo_subtree_path` for '{{ site }}' in `wordpress_sites.yml` so it points to the directory with a `composer.json` file." when: not composer_json.stat.exists +- name: Setup packagist.com authentication + composer: + command: config + arguments: --auth http-basic.repo.packagist.com token {{ project.packagist_token }} + working_dir: "{{ deploy_helper.new_release_path }}" + no_log: true + when: project.packagist_token is defined + - name: Install Composer dependencies composer: no_scripts: yes diff --git a/roles/wordpress-install/tasks/main.yml b/roles/wordpress-install/tasks/main.yml index b046a8c183..7f65395b21 100644 --- a/roles/wordpress-install/tasks/main.yml +++ b/roles/wordpress-install/tasks/main.yml @@ -24,6 +24,15 @@ state: "{{ item.state | default('present') }}" with_items: "{{ known_hosts | default([]) }}" +- name: Setup packagist.com authentication + composer: + command: config + arguments: --auth http-basic.repo.packagist.com token {{ item.value.packagist_token }} + working_dir: "{{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/" + no_log: true + when: item.value.packagist_token is defined + with_dict: "{{ wordpress_sites }}" + - name: Install Dependencies with Composer composer: no_dev: no From 433869b058ff641a8f426d7ea56079cd3c110c36 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Tue, 21 Feb 2017 12:43:30 -0700 Subject: [PATCH 174/292] Validate SSH client/server compat only if client is OpenSSH 6.8+ Retrieves client's OpenSSH version and makes validation conditional on version 6.8+. Validation's -G option is available only in OpenSSH 6.8+. --- roles/common/defaults/main.yml | 1 + roles/common/tasks/main.yml | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index c50b870a77..3f651bbb6f 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -17,6 +17,7 @@ apt_packages_default: apt_packages_custom: [] apt_packages_install: "{{ apt_packages_default + apt_packages_custom }}" +openssh_6_8_plus: "{{ (lookup('pipe', 'ssh -V 2>&1')) | regex_replace('(.*OpenSSH_([\\d\\.]*).*)', '\\2') | version_compare('6.8', '>=') }}" overlapping_ciphers: "[{% for cipher in (sshd_ciphers_default + sshd_ciphers_extra) if cipher in ssh_client_ciphers %}'{{ cipher }}',{% endfor %}]" overlapping_kex: "[{% for kex in (sshd_kex_algorithms_default + sshd_kex_algorithms_extra) if kex in ssh_client_kex %}'{{ kex }}',{% endfor %}]" overlapping_macs: "[{% for mac in (sshd_macs_default + sshd_macs_extra) if mac in ssh_client_macs %}'{{ mac }}',{% endfor %}]" diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 9226e86308..c470f1b16c 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -50,7 +50,7 @@ ssh_client_kex: "{{ lookup('pipe', 'ssh -ttG ' + ansible_host + ' | grep kexalgorithms') }}" ssh_client_macs: "{{ lookup('pipe', 'ssh -ttG ' + ansible_host + ' | grep macs') }}" ssh_client_host_key_algorithms: "{{ lookup('pipe', 'ssh -ttG ' + ansible_host + ' | grep hostkeyalgorithms') }}" - when: validate_ssh | default(true) + when: openssh_6_8_plus and validate_ssh | default(true) tags: [sshd] - name: Validate compatible settings between SSH client and server @@ -61,7 +61,7 @@ - overlapping_macs | count - overlapping_host_keys | count msg: "{{ lookup('template', 'validate_ssh_msg.j2') }}" - when: validate_ssh | default(true) + when: openssh_6_8_plus and validate_ssh | default(true) tags: [sshd] - name: Checking essentials From be80f822f831a28028d44ff91474f338ff665b4f Mon Sep 17 00:00:00 2001 From: samkarpluk Date: Wed, 22 Feb 2017 08:13:55 -0800 Subject: [PATCH 175/292] Add PHP variables for cookies and default to HTTPOnly (#770) --- roles/php/defaults/main.yml | 2 ++ roles/php/templates/php.ini.j2 | 2 ++ 2 files changed, 4 insertions(+) diff --git a/roles/php/defaults/main.yml b/roles/php/defaults/main.yml index f47ca9b544..afe761ec17 100644 --- a/roles/php/defaults/main.yml +++ b/roles/php/defaults/main.yml @@ -12,6 +12,8 @@ php_mysqlnd_collect_memory_statistics: 'Off' php_post_max_size: 25M php_sendmail_path: /usr/sbin/ssmtp -t php_session_save_path: /tmp +php_session_cookie_httponly: 'On' +php_session_cookie_secure: 'Off' php_upload_max_filesize: 25M php_track_errors: 'Off' php_timezone: '{{ ntp_timezone }}' diff --git a/roles/php/templates/php.ini.j2 b/roles/php/templates/php.ini.j2 index 8c2b5ae0ae..3b899e7c91 100644 --- a/roles/php/templates/php.ini.j2 +++ b/roles/php/templates/php.ini.j2 @@ -11,6 +11,8 @@ memory_limit = {{ php_memory_limit }} post_max_size = {{ php_post_max_size }} sendmail_path = {{ php_sendmail_path }} session.save_path = {{ php_session_save_path }} +session.cookie_httponly = {{ php_session_cookie_httponly }} +session.cookie_secure = {{ php_session_cookie_secure }} track_errors = {{ php_track_errors }} upload_max_filesize = {{ php_upload_max_filesize }} expose_php = Off From 3a85628d9027d48efac706be526866bcfe27751d Mon Sep 17 00:00:00 2001 From: Nathaniel Date: Thu, 23 Feb 2017 12:16:28 -0800 Subject: [PATCH 176/292] Update wordpress-site.conf.j2 --- .../templates/wordpress-site.conf.j2 | 34 +++++++++---------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index 67e995ee3b..5b520e215a 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -29,6 +29,23 @@ server { {% endif -%} {% endblock -%} + {% block cache_conditions -%} + {% if item.value.cache is defined and item.value.cache.enabled | default(false) -%} + # Fastcgi cache conditions + set $skip_cache 0; + if ($query_string != "") { + set $skip_cache 1; + } + if ($request_uri ~* "{{ item.value.cache.skip_cache_uri | default(nginx_skip_cache_uri) }}") { + set $skip_cache 1; + } + if ($http_cookie ~* "{{ item.value.cache.skip_cache_cookie | default(nginx_skip_cache_cookie) }}") { + set $skip_cache 1; + } + + {% endif -%} + {% endblock -%} + {% block multisite_rewrites -%} {% if item.value.multisite.enabled | default(false) -%} # Multisite rewrites @@ -80,23 +97,6 @@ server { {% endblock -%} - {% block cache_conditions -%} - {% if item.value.cache is defined and item.value.cache.enabled | default(false) -%} - # Fastcgi cache conditions - set $skip_cache 0; - if ($query_string != "") { - set $skip_cache 1; - } - if ($request_uri ~* "{{ item.value.cache.skip_cache_uri | default(nginx_skip_cache_uri) }}") { - set $skip_cache 1; - } - if ($http_cookie ~* "{{ item.value.cache.skip_cache_cookie | default(nginx_skip_cache_cookie) }}") { - set $skip_cache 1; - } - - {% endif -%} - {% endblock -%} - {% block includes_d -%} include includes.d/{{ item.key }}/*.conf; From 0974b7824d297bfd0c88a8793747050d82ddebdd Mon Sep 17 00:00:00 2001 From: Nathaniel Date: Thu, 23 Feb 2017 12:16:59 -0800 Subject: [PATCH 177/292] Move $skip_cache before multisite rewrites See https://github.com/roots/trellis/issues/772#issuecomment-282106396 --- .../templates/wordpress-site.conf.j2 | 34 +++++++++---------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index 67e995ee3b..5b520e215a 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -29,6 +29,23 @@ server { {% endif -%} {% endblock -%} + {% block cache_conditions -%} + {% if item.value.cache is defined and item.value.cache.enabled | default(false) -%} + # Fastcgi cache conditions + set $skip_cache 0; + if ($query_string != "") { + set $skip_cache 1; + } + if ($request_uri ~* "{{ item.value.cache.skip_cache_uri | default(nginx_skip_cache_uri) }}") { + set $skip_cache 1; + } + if ($http_cookie ~* "{{ item.value.cache.skip_cache_cookie | default(nginx_skip_cache_cookie) }}") { + set $skip_cache 1; + } + + {% endif -%} + {% endblock -%} + {% block multisite_rewrites -%} {% if item.value.multisite.enabled | default(false) -%} # Multisite rewrites @@ -80,23 +97,6 @@ server { {% endblock -%} - {% block cache_conditions -%} - {% if item.value.cache is defined and item.value.cache.enabled | default(false) -%} - # Fastcgi cache conditions - set $skip_cache 0; - if ($query_string != "") { - set $skip_cache 1; - } - if ($request_uri ~* "{{ item.value.cache.skip_cache_uri | default(nginx_skip_cache_uri) }}") { - set $skip_cache 1; - } - if ($http_cookie ~* "{{ item.value.cache.skip_cache_cookie | default(nginx_skip_cache_cookie) }}") { - set $skip_cache 1; - } - - {% endif -%} - {% endblock -%} - {% block includes_d -%} include includes.d/{{ item.key }}/*.conf; From fc4d88f6d945822db11fc11ea2bfe38de35ac537 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sun, 26 Feb 2017 18:15:34 -0700 Subject: [PATCH 178/292] Move MySQL restart to handler for idempotence --- roles/mariadb/handlers/main.yml | 6 ++++++ roles/mariadb/tasks/main.yml | 7 +------ 2 files changed, 7 insertions(+), 6 deletions(-) create mode 100644 roles/mariadb/handlers/main.yml diff --git a/roles/mariadb/handlers/main.yml b/roles/mariadb/handlers/main.yml new file mode 100644 index 0000000000..3bde7e4292 --- /dev/null +++ b/roles/mariadb/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: restart mysql server + service: + name: mysql + state: restarted + enabled: true diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index cb37c3419d..5e998fde95 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -19,12 +19,7 @@ owner: root group: root when: mysql_binary_logging_disabled - - - name: Restart MySQL Server - service: - name: mysql - state: restarted - enabled: true + notify: restart mysql server - name: Set root user password mysql_user: From e9d09e49b9174f58ae0bd78c9e8302345f7928ef Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Tue, 28 Feb 2017 12:03:35 -0700 Subject: [PATCH 179/292] Always set_fact for ansible_user, even if CLI --check or --user * Fixes #779 * Playbook needs `ansible_user` defined even if CLI includes `--check`, so this edit adds `debug_mode: no` to `set_fact` for `ansible_user`. * The variable `ansible_user` must be explicitly defined (vs. being only an Ansible magic var) in order to be functional in definition of `ansible_become_pass`, so this edit causes the `set_fact` for `ansible_user` to always run. --- roles/remote-user/tasks/main.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/roles/remote-user/tasks/main.yml b/roles/remote-user/tasks/main.yml index 7da78f8505..85693d7ed8 100644 --- a/roles/remote-user/tasks/main.yml +++ b/roles/remote-user/tasks/main.yml @@ -10,13 +10,14 @@ local_action: command ansible {{ inventory_hostname }} -m raw -a whoami -u root {{ cli_options | default('') }} failed_when: false changed_when: false + check_mode: no register: root_status tags: [connection-tests] - name: Set remote user for each host set_fact: - ansible_user: "{{ ('root' in root_status.stdout_lines) | ternary('root', admin_user) }}" - when: ansible_user is not defined + ansible_user: "{{ ansible_user | default(('root' in root_status.stdout_lines) | ternary('root', admin_user)) }}" + check_mode: no - name: Announce which user was selected debug: From d12ce57185d71f7767c019acf2c3bd59965ebf09 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 11 Mar 2017 16:39:56 -0500 Subject: [PATCH 180/292] PHP custom extensions support Adds a `php_extensions_custom` variable to allow users to specific custom extensions to be installed. `php_extensions_default` can also be defined to change the default extensions. --- CHANGELOG.md | 1 + roles/common/defaults/main.yml | 2 +- roles/common/tasks/main.yml | 2 +- roles/php/defaults/main.yml | 18 ++++++++++++++++++ roles/php/tasks/main.yml | 15 +-------------- 5 files changed, 22 insertions(+), 16 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e97e076810..2c783c728c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Allow customization of PHP extensions ([#787](https://github.com/roots/trellis/pull/787)) * Allow for per-project packagist.com authentication ([#762](https://github.com/roots/trellis/pull/762)) * Set multisite constants false while checking `wp core is-installed` ([#766](https://github.com/roots/trellis/pull/766)) * Forward extra bin/deploy.sh parameters to ansible-playbook ([#748](https://github.com/roots/trellis/pull/748)) diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index 3f651bbb6f..43a6a9a4ac 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -15,7 +15,7 @@ apt_packages_default: - libnss-myhostname apt_packages_custom: [] -apt_packages_install: "{{ apt_packages_default + apt_packages_custom }}" +apt_packages: "{{ apt_packages_default + apt_packages_custom }}" openssh_6_8_plus: "{{ (lookup('pipe', 'ssh -V 2>&1')) | regex_replace('(.*OpenSSH_([\\d\\.]*).*)', '\\2') | version_compare('6.8', '>=') }}" overlapping_ciphers: "[{% for cipher in (sshd_ciphers_default + sshd_ciphers_extra) if cipher in ssh_client_ciphers %}'{{ cipher }}',{% endfor %}]" diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index c470f1b16c..7f8af1743d 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -70,7 +70,7 @@ state: present update_cache: true cache_valid_time: "{{ apt_cache_valid_time }}" - with_items: "{{ apt_packages_install }}" + with_items: "{{ apt_packages }}" - name: Validate timezone variable stat: diff --git a/roles/php/defaults/main.yml b/roles/php/defaults/main.yml index afe761ec17..518b6491b1 100644 --- a/roles/php/defaults/main.yml +++ b/roles/php/defaults/main.yml @@ -1,6 +1,24 @@ disable_default_pool: true memcached_sessions: false +php_extensions_default: + - php7.1-cli + - php7.1-common + - php7.1-curl + - php7.1-dev + - php7.1-fpm + - php7.1-gd + - php7.1-mbstring + - php7.1-mcrypt + - php7.1-mysql + - php7.1-opcache + - php7.1-xml + - php7.1-xmlrpc + - php7.1-zip + +php_extensions_custom: [] +php_extensions: "{{ php_extensions_default + php_extensions_custom }}" + php_error_reporting: 'E_ALL & ~E_DEPRECATED & ~E_STRICT' php_display_errors: 'Off' php_display_startup_errors: 'Off' diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml index f3682fabbb..c88a1f10a2 100644 --- a/roles/php/tasks/main.yml +++ b/roles/php/tasks/main.yml @@ -9,20 +9,7 @@ name: "{{ item }}" state: present force: yes - with_items: - - php7.1-cli - - php7.1-common - - php7.1-curl - - php7.1-dev - - php7.1-fpm - - php7.1-gd - - php7.1-mbstring - - php7.1-mcrypt - - php7.1-mysql - - php7.1-opcache - - php7.1-xml - - php7.1-xmlrpc - - php7.1-zip + with_items: "{{ php_extensions }}" - name: Start php7.1-fpm service service: From 8f2f3f88854c9f5c48a547724ba90535c6b2de2a Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Tue, 31 Jan 2017 19:37:52 -0700 Subject: [PATCH 181/292] Add detection and message about changed host key --- deploy.yml | 8 +++++ roles/remote-user/tasks/main.yml | 58 +++++++++++++++++++++++--------- rollback.yml | 8 +++++ server.yml | 2 +- xdebug-tunnel.yml | 2 +- 5 files changed, 60 insertions(+), 18 deletions(-) diff --git a/deploy.yml b/deploy.yml index 0e6f1efa39..3f1277f583 100644 --- a/deploy.yml +++ b/deploy.yml @@ -3,6 +3,14 @@ vars: playbook: deploy.yml +- name: Test Connection + hosts: web:&{{ env }} + gather_facts: false + vars: + dynamic_user: false + roles: + - { role: remote-user, tags: [remote-user, always] } + - name: Deploy WP site hosts: web:&{{ env }} remote_user: "{{ web_user }}" diff --git a/roles/remote-user/tasks/main.yml b/roles/remote-user/tasks/main.yml index 85693d7ed8..c56e1acd64 100644 --- a/roles/remote-user/tasks/main.yml +++ b/roles/remote-user/tasks/main.yml @@ -4,27 +4,53 @@ msg: | When using `--ask-pass` option, use `-u` option to define remote-user: ansible-playbook server.yml -e env={{ env | default('production') }} -u root --ask-pass - when: ansible_user is not defined and cli_ask_pass | default(false) + when: dynamic_user | default(true) and ansible_user is not defined and cli_ask_pass | default(false) -- name: Check whether Ansible can connect as root - local_action: command ansible {{ inventory_hostname }} -m raw -a whoami -u root {{ cli_options | default('') }} +- name: Check whether Ansible can connect as {{ dynamic_user | default(true) | ternary('root', web_user) }} + local_action: command ansible {{ inventory_hostname }} -m raw -a whoami -u {{ dynamic_user | default(true) | ternary('root', web_user) }} {{ cli_options | default('') }} -vvvv failed_when: false changed_when: false check_mode: no - register: root_status + register: connection_status tags: [connection-tests] -- name: Set remote user for each host - set_fact: - ansible_user: "{{ ansible_user | default(('root' in root_status.stdout_lines) | ternary('root', admin_user)) }}" - check_mode: no +- name: Warn about change in host keys + fail: + msg: | + WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! + + If this change in host keys is expected (e.g., if you rebuilt the server + or if the Trellis sshd role made changes recently), then run the following + command to clear the old host key from your known_hosts. + + ssh-keygen -R {{ connection_status.stdout | regex_replace('(.|\n)*host key for (.*) has changed(.|\n)*', '\2') }} + + Then try your Trellis playbook or SSH connection again. + + If the change is unexpected, cautiously consider why the host identification + may have changed and whether you may be victim to a man-in-the-middle attack. + + --------------------------------------------------- + {{ (connection_status.stdout.replace('Please contact your system administrator.\r\n', '') | + regex_replace ('(.|\n)*(The fingerprint for the(.|\n)*Host key verification failed.)(.|\n)*', '\2') | + regex_replace('(\\r\\n|\\n)', '\n\n')).replace('\"', '"') }} + when: "'REMOTE HOST IDENTIFICATION HAS CHANGED' in connection_status.stdout" + tags: [connection-tests] + +- block: + - name: Set remote user for each host + set_fact: + ansible_user: "{{ ansible_user | default(('root' in connection_status.stdout_lines) | ternary('root', admin_user)) }}" + check_mode: no + + - name: Announce which user was selected + debug: + msg: "Note: Ansible will attempt connections as user = {{ ansible_user }}" -- name: Announce which user was selected - debug: - msg: "Note: Ansible will attempt connections as user = {{ ansible_user }}" + - name: Load become password + set_fact: + ansible_become_pass: "{% raw %}{% for user in vault_users | default([]) if user.name == ansible_user %}{{ user.password | default('') }}{% endfor %}{% endraw %}" + when: ansible_user != 'root' and not cli_ask_become_pass | default(false) and ansible_become_pass is not defined + no_log: true -- name: Load become password - set_fact: - ansible_become_pass: "{% raw %}{% for user in vault_users | default([]) if user.name == ansible_user %}{{ user.password | default('') }}{% endfor %}{% endraw %}" - when: ansible_user != 'root' and not cli_ask_become_pass | default(false) and ansible_become_pass is not defined - no_log: true + when: dynamic_user | default(true) diff --git a/rollback.yml b/rollback.yml index 2ce5ff5212..f7d35c2d14 100644 --- a/rollback.yml +++ b/rollback.yml @@ -3,6 +3,14 @@ vars: playbook: rollback.yml +- name: Test Connection + hosts: web:&{{ env }} + gather_facts: false + vars: + dynamic_user: false + roles: + - { role: remote-user, tags: [remote-user, always] } + - name: Rollback a Deploy hosts: web:&{{ env }} remote_user: "{{ web_user }}" diff --git a/server.yml b/server.yml index 6be01d91fa..d7dfe43a40 100644 --- a/server.yml +++ b/server.yml @@ -3,7 +3,7 @@ vars: playbook: server.yml -- name: Determine Remote User +- name: Test Connection and Determine Remote User hosts: web:&{{ env }} gather_facts: false roles: diff --git a/xdebug-tunnel.yml b/xdebug-tunnel.yml index 6da907642c..858e63935f 100644 --- a/xdebug-tunnel.yml +++ b/xdebug-tunnel.yml @@ -1,5 +1,5 @@ --- -- name: Determine Remote User +- name: Test Connection and Determine Remote User hosts: "{{ xdebug_tunnel_inventory_host }}" gather_facts: false roles: From 6851788e76063bd8a228c9d034aade341f869297 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Tue, 31 Jan 2017 19:59:21 -0700 Subject: [PATCH 182/292] Change remote-user role to connection role: tests host key, user --- CHANGELOG.md | 1 + deploy.yml | 2 +- roles/{remote-user => connection}/tasks/main.yml | 0 rollback.yml | 2 +- server.yml | 2 +- xdebug-tunnel.yml | 2 +- 6 files changed, 5 insertions(+), 4 deletions(-) rename roles/{remote-user => connection}/tasks/main.yml (100%) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2c783c728c..0dd97962f6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Change `remote-user` role to `connection` role: tests host key, user ([#745](https://github.com/roots/trellis/pull/745)) * Allow customization of PHP extensions ([#787](https://github.com/roots/trellis/pull/787)) * Allow for per-project packagist.com authentication ([#762](https://github.com/roots/trellis/pull/762)) * Set multisite constants false while checking `wp core is-installed` ([#766](https://github.com/roots/trellis/pull/766)) diff --git a/deploy.yml b/deploy.yml index 3f1277f583..819a38ec6c 100644 --- a/deploy.yml +++ b/deploy.yml @@ -9,7 +9,7 @@ vars: dynamic_user: false roles: - - { role: remote-user, tags: [remote-user, always] } + - { role: connection, tags: [connection, always] } - name: Deploy WP site hosts: web:&{{ env }} diff --git a/roles/remote-user/tasks/main.yml b/roles/connection/tasks/main.yml similarity index 100% rename from roles/remote-user/tasks/main.yml rename to roles/connection/tasks/main.yml diff --git a/rollback.yml b/rollback.yml index f7d35c2d14..a74b318f0e 100644 --- a/rollback.yml +++ b/rollback.yml @@ -9,7 +9,7 @@ vars: dynamic_user: false roles: - - { role: remote-user, tags: [remote-user, always] } + - { role: connection, tags: [connection, always] } - name: Rollback a Deploy hosts: web:&{{ env }} diff --git a/server.yml b/server.yml index d7dfe43a40..ec5df22001 100644 --- a/server.yml +++ b/server.yml @@ -7,7 +7,7 @@ hosts: web:&{{ env }} gather_facts: false roles: - - { role: remote-user, tags: [remote-user, always] } + - { role: connection, tags: [connection, always] } - name: Install prerequisites hosts: web:&{{ env }} diff --git a/xdebug-tunnel.yml b/xdebug-tunnel.yml index 858e63935f..355a334b06 100644 --- a/xdebug-tunnel.yml +++ b/xdebug-tunnel.yml @@ -3,7 +3,7 @@ hosts: "{{ xdebug_tunnel_inventory_host }}" gather_facts: false roles: - - { role: remote-user, tags: [remote-user, always] } + - { role: connection, tags: [connection, always] } - name: Enable or Disable Xdebug and SSH Tunnel hosts: "{{ xdebug_tunnel_inventory_host }}" From 7c6846d74cef2b017816201bac1cf9858b5d68ed Mon Sep 17 00:00:00 2001 From: Ken Rufe Date: Fri, 17 Mar 2017 10:18:04 -0400 Subject: [PATCH 183/292] Moved address family above ListenAddress - provisioning a server failed with "failed to validate /root/.ansible/tmp/ansible-tmp-1489759318.18-198304737737752/source line 8: address family must be specified before ListenAddress." for ansible 2.2.0.0 --- roles/sshd/templates/sshd_config.j2 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/sshd/templates/sshd_config.j2 b/roles/sshd/templates/sshd_config.j2 index ffc7e80b3d..a1b961d7d4 100644 --- a/roles/sshd/templates/sshd_config.j2 +++ b/roles/sshd/templates/sshd_config.j2 @@ -5,6 +5,8 @@ Port {{ port }} {% endfor -%} +AddressFamily {{ sshd_address_family }} + {% for address in sshd_listen_addresses %} ListenAddress {{ address }} {% endfor -%} @@ -12,7 +14,6 @@ ListenAddress {{ address }} Protocol {{ sshd_protocol }} AcceptEnv {{ sshd_accept_env | join(' ') }} -AddressFamily {{ sshd_address_family }} AllowAgentForwarding {{ sshd_allow_agent_forwarding | ternary('yes', 'no') }} AllowTcpForwarding {{ sshd_allow_tcp_forwarding is string | ternary(sshd_allow_tcp_forwarding, sshd_allow_tcp_forwarding | ternary('yes', 'no')) }} ChallengeResponseAuthentication {{ sshd_challenge_response_authentication | ternary('yes', 'no') }} From e35f933801f8c575a874014f10068edcf769befe Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Tue, 21 Mar 2017 18:12:37 -0600 Subject: [PATCH 184/292] Create includes.d even if nginx-includes has no subdirs The dirname filter retrieves a template's subdirectory (within nginx-includes), then the select filter removed empty values created by templates in the nginx-includes root. This removes the select filter so that includes.d will still be created if the only templates are in the nginx-includes root. --- roles/wordpress-setup/tasks/nginx-includes.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/wordpress-setup/tasks/nginx-includes.yml b/roles/wordpress-setup/tasks/nginx-includes.yml index 911807655c..a9859b0afb 100644 --- a/roles/wordpress-setup/tasks/nginx-includes.yml +++ b/roles/wordpress-setup/tasks/nginx-includes.yml @@ -22,8 +22,9 @@ mode: 0755 with_items: "{{ nginx_includes_templates.files | map(attribute='path') | map('regex_replace', nginx_includes_pattern, '\\2') | - map('dirname') | unique | select | list | sort + map('dirname') | unique | list | sort }}" + when: nginx_includes_templates.files | count - name: Template files out to includes.d template: From e48526e84a086418fc4188baf8bfbda15801eeca Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Tue, 21 Mar 2017 19:53:44 -0600 Subject: [PATCH 185/292] Run WordPress installed check before finalizing deploy The "WordPress installed?" deploy task occasionally detects errors. It would be helpful to detect such errors and fail before finalizing the deploy (before creating symlink to release dir). --- deploy.yml | 1 + roles/deploy/hooks/finalize-after.yml | 13 ------------- roles/deploy/hooks/finalize-before.yml | 13 +++++++++++++ 3 files changed, 14 insertions(+), 13 deletions(-) create mode 100644 roles/deploy/hooks/finalize-before.yml diff --git a/deploy.yml b/deploy.yml index 819a38ec6c..918cd9a8e1 100644 --- a/deploy.yml +++ b/deploy.yml @@ -18,6 +18,7 @@ vars: deploy_build_before: "{{ playbook_dir }}/deploy-hooks/build-before.yml" deploy_build_after: "{{ playbook_dir }}/roles/deploy/hooks/build-after.yml" + deploy_finalize_before: "{{ playbook_dir }}/roles/deploy/hooks/finalize-before.yml" deploy_finalize_after: "{{ playbook_dir }}/roles/deploy/hooks/finalize-after.yml" project: "{{ wordpress_sites[site] }}" project_root: "{{ www_root }}/{{ site }}" diff --git a/roles/deploy/hooks/finalize-after.yml b/roles/deploy/hooks/finalize-after.yml index 2b75bc08c5..903f41c4fa 100644 --- a/roles/deploy/hooks/finalize-after.yml +++ b/roles/deploy/hooks/finalize-after.yml @@ -1,17 +1,4 @@ --- -- name: Create file with multisite constants defined as false - copy: - src: "tmp_multisite_constants.php" - dest: "{{ deploy_helper.shared_path }}/tmp_multisite_constants.php" - -- name: WordPress Installed? - command: wp core is-installed --require={{ deploy_helper.shared_path }}/tmp_multisite_constants.php - args: - chdir: "{{ deploy_helper.current_path }}" - register: wp_installed - changed_when: false - failed_when: wp_installed.stderr != "" - - block: - name: Update WP database command: wp core update-db diff --git a/roles/deploy/hooks/finalize-before.yml b/roles/deploy/hooks/finalize-before.yml new file mode 100644 index 0000000000..1b3a2d03de --- /dev/null +++ b/roles/deploy/hooks/finalize-before.yml @@ -0,0 +1,13 @@ +--- +- name: Create file with multisite constants defined as false + copy: + src: "tmp_multisite_constants.php" + dest: "{{ deploy_helper.shared_path }}/tmp_multisite_constants.php" + +- name: WordPress Installed? + command: wp core is-installed --require={{ deploy_helper.shared_path }}/tmp_multisite_constants.php + args: + chdir: "{{ deploy_helper.new_release_path }}" + register: wp_installed + changed_when: false + failed_when: wp_installed.stderr != "" From 7894d2de38284d92af3475c43bee152db3224257 Mon Sep 17 00:00:00 2001 From: Mehdi Lahlou Date: Fri, 24 Mar 2017 00:59:54 +0100 Subject: [PATCH 186/292] Add additional nginx sites configurations support (#793) --- CHANGELOG.md | 1 + roles/nginx/defaults/main.yml | 2 ++ roles/nginx/tasks/main.yml | 20 ++++++++++++++++---- roles/nginx/templates/no-default.conf.j2 | 13 +++++++++++++ 4 files changed, 32 insertions(+), 4 deletions(-) create mode 100644 roles/nginx/templates/no-default.conf.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index 0dd97962f6..311f86f785 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Add additional Nginx sites configurations support ([#793](https://github.com/roots/trellis/pull/793)) * Change `remote-user` role to `connection` role: tests host key, user ([#745](https://github.com/roots/trellis/pull/745)) * Allow customization of PHP extensions ([#787](https://github.com/roots/trellis/pull/787)) * Allow for per-project packagist.com authentication ([#762](https://github.com/roots/trellis/pull/762)) diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml index 09f95c6731..27242dc605 100644 --- a/roles/nginx/defaults/main.yml +++ b/roles/nginx/defaults/main.yml @@ -5,6 +5,8 @@ nginx_logs_root: /var/log/nginx nginx_user: www-data nginx_fastcgi_buffers: 8 8k nginx_fastcgi_buffer_size: 8k +nginx_sites_confs: + - src: no-default.conf.j2 # Fastcgi cache params nginx_cache_path: /var/cache/nginx diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index b286d614da..5ca6c871b9 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -50,8 +50,20 @@ state: absent notify: reload nginx -- name: Enable better default site to drop unknown requests - command: cp {{ nginx_path }}/h5bp-server-configs/sites-available/no-default {{ nginx_path }}/sites-enabled/no-default.conf - args: - creates: "{{ nginx_path }}/sites-enabled/no-default.conf" +- name: Create Nginx available sites + template: + src: "{{ item.src }}" + dest: "{{ nginx_path }}/sites-available/{{ item.src | basename | regex_replace('.j2$', '') }}" + with_items: "{{ nginx_sites_confs }}" + when: item.enabled | default(true) + tags: nginx-sites + +- name: Enable or disable Nginx sites + file: + path: "{{ nginx_path }}/sites-enabled/{{ item.src | basename | regex_replace('.j2$', '') }}" + src: "{{ nginx_path }}/sites-available/{{ item.src | basename | regex_replace('.j2$', '') }}" + state: "{{ item.enabled | default(true) | ternary('link', 'absent') }}" + force: yes + with_items: "{{ nginx_sites_confs }}" notify: reload nginx + tags: nginx-sites diff --git a/roles/nginx/templates/no-default.conf.j2 b/roles/nginx/templates/no-default.conf.j2 new file mode 100644 index 0000000000..f12dd3e873 --- /dev/null +++ b/roles/nginx/templates/no-default.conf.j2 @@ -0,0 +1,13 @@ +# {{ ansible_managed }} + +# Drop requests for unknown hosts +# +# If no default server is defined, nginx will use the first found server. +# To prevent host header attacks, or other potential problems when an unknown +# servername is used in a request, it's recommended to drop the request +# returning 444 "no response". + +server { + listen 80 default_server; + return 444; +} From f5cc2284bfe1273cd0ad1408cb44a10aa72a4693 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Thu, 23 Mar 2017 01:04:02 -0600 Subject: [PATCH 187/292] Check Ansible version before Ansible validates task attributes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Avoids "ERROR! ‘check_mode’ is not a valid attribute for a Task" which occurs for Ansible lt 2.2. Ansible validates task attributes before running a playbook and before loading callback plugins, so a vars plugin appeared to be the only option for intercepting the error with a version check and message. --- CHANGELOG.md | 1 + Vagrantfile | 1 + ansible.cfg | 1 + lib/trellis/plugins/callback/output.py | 6 ------ lib/trellis/plugins/vars/version.py | 20 ++++++++++++++++++++ roles/common/defaults/main.yml | 4 ---- roles/common/tasks/main.yml | 11 ----------- 7 files changed, 23 insertions(+), 21 deletions(-) create mode 100644 lib/trellis/plugins/vars/version.py diff --git a/CHANGELOG.md b/CHANGELOG.md index 311f86f785..d17fed1725 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Check Ansible version before Ansible validates task attributes ([#797](https://github.com/roots/trellis/pull/797)) * Add additional Nginx sites configurations support ([#793](https://github.com/roots/trellis/pull/793)) * Change `remote-user` role to `connection` role: tests host key, user ([#745](https://github.com/roots/trellis/pull/745)) * Allow customization of PHP extensions ([#787](https://github.com/roots/trellis/pull/787)) diff --git a/Vagrantfile b/Vagrantfile index 192a86cb7f..096085f240 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -16,6 +16,7 @@ ENV['ANSIBLE_CALLBACK_PLUGINS'] = "~/.ansible/plugins/callback_plugins/:/usr/sha ENV['ANSIBLE_FILTER_PLUGINS'] = "~/.ansible/plugins/filter_plugins/:/usr/share/ansible_plugins/filter_plugins:#{File.join(ANSIBLE_PATH, 'lib/trellis/plugins/filter')}" ENV['ANSIBLE_LIBRARY'] = "/usr/share/ansible:#{File.join(ANSIBLE_PATH, 'lib/trellis/modules')}" ENV['ANSIBLE_ROLES_PATH'] = File.join(ANSIBLE_PATH, 'vendor', 'roles') +ENV['ANSIBLE_VARS_PLUGINS'] = "~/.ansible/plugins/vars_plugins/:/usr/share/ansible_plugins/vars_plugins:#{File.join(ANSIBLE_PATH, 'lib/trellis/plugins/vars')}" config_file = File.join(ANSIBLE_PATH, 'group_vars', 'development', 'wordpress_sites.yml') diff --git a/ansible.cfg b/ansible.cfg index ab366391ec..e200ee7a59 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -7,6 +7,7 @@ force_handlers = True inventory = hosts nocows = 1 roles_path = vendor/roles +vars_plugins = ~/.ansible/plugins/vars_plugins/:/usr/share/ansible_plugins/vars_plugins:lib/trellis/plugins/vars [ssh_connection] ssh_args = -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s -o HostKeyAlgorithms=ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa diff --git a/lib/trellis/plugins/callback/output.py b/lib/trellis/plugins/callback/output.py index 6c86df64c4..9bb2cbede6 100644 --- a/lib/trellis/plugins/callback/output.py +++ b/lib/trellis/plugins/callback/output.py @@ -5,12 +5,6 @@ import os.path import sys -from ansible import __version__ -from ansible.errors import AnsibleError - -if __version__.startswith('1'): - raise AnsibleError('Trellis no longer supports Ansible 1.x. Please upgrade to Ansible 2.x.') - from ansible.plugins.callback.default import CallbackModule as CallbackModule_default try: diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py new file mode 100644 index 0000000000..bc766f54ce --- /dev/null +++ b/lib/trellis/plugins/vars/version.py @@ -0,0 +1,20 @@ +# Make coding more python3-ish +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +from ansible import __version__ +from ansible.errors import AnsibleError +from distutils.version import LooseVersion +from operator import ge + +version_requirement = '2.2.0.0' +if not ge(LooseVersion(__version__), LooseVersion(version_requirement)): + raise AnsibleError(('Trellis no longer supports Ansible {}.\n' + 'Please upgrade to Ansible {} or higher.').format(__version__, version_requirement)) + + +class VarsModule(object): + ''' Creates and modifies host variables ''' + + def __init__(self, inventory): + pass diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index 43a6a9a4ac..2a6d4a1f4f 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -1,7 +1,3 @@ -ansible_requirements: - - version: 2.2.0.0 - operator: '>=' - ntp_timezone: Etc/UTC apt_packages_default: diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 7f8af1743d..b5a37ab91d 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -1,15 +1,4 @@ --- -- name: Validate Ansible version - fail: - msg: | - Your Ansible version is {{ ansible_version.full | default('unknown') }}. - Please install a version of Ansible that meets these requirements: - {% for item in ansible_requirements %} - {{ item.operator }} {{ item.version }} - {% endfor %} - when: ansible_version is not defined or false in [{% for item in ansible_requirements %}{{ ansible_version.full | version_compare(item.version, item.operator) }},{% endfor %}] - run_once: true - - name: Validate format of site_hosts fail: msg: "{{ lookup('template', 'site_hosts.j2') }}" From 8d5ebaceb9c0d36869a4920b3b6418a13d1c6f91 Mon Sep 17 00:00:00 2001 From: Stefan Lindberg Date: Sat, 25 Mar 2017 01:18:00 +0100 Subject: [PATCH 188/292] Use Ansible's ~/.ssh/ default path for known_hosts (#799) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Removes hard-coded path to prevent errors with custom home dir: 
`Failed to write to file /home/username/.ssh/known_hosts: [Errno 2] No such file or directory` --- roles/deploy/tasks/update.yml | 2 +- roles/wordpress-install/tasks/main.yml | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/roles/deploy/tasks/update.yml b/roles/deploy/tasks/update.yml index 4af0bb40da..893a1b7987 100644 --- a/roles/deploy/tasks/update.yml +++ b/roles/deploy/tasks/update.yml @@ -6,7 +6,7 @@ known_hosts: name: "{{ item.name }}" key: "{{ item.key | default(omit) }}" - path: "{{ item.path | default('/home/' + ansible_user + '/.ssh/known_hosts') }}" + path: "{{ item.path | default(omit) }}" state: "{{ item.state | default('present') }}" with_items: "{{ known_hosts | default([]) }}" diff --git a/roles/wordpress-install/tasks/main.yml b/roles/wordpress-install/tasks/main.yml index 7f65395b21..3e1effb15f 100644 --- a/roles/wordpress-install/tasks/main.yml +++ b/roles/wordpress-install/tasks/main.yml @@ -20,8 +20,9 @@ known_hosts: name: "{{ item.name }}" key: "{{ item.key | default(omit) }}" - path: "{{ item.path | default('/home/' + ansible_user + '/.ssh/known_hosts') }}" + path: "{{ item.path | default(omit) }}" state: "{{ item.state | default('present') }}" + become: no with_items: "{{ known_hosts | default([]) }}" - name: Setup packagist.com authentication From 6ecd14a3528969c2d5a6f3bd43aa75c70af706dd Mon Sep 17 00:00:00 2001 From: QWp6t Date: Sat, 25 Mar 2017 14:25:12 -0700 Subject: [PATCH 189/292] Update constants passed to `wp core is-installed` --- roles/deploy/files/tmp_multisite_constants.php | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/deploy/files/tmp_multisite_constants.php b/roles/deploy/files/tmp_multisite_constants.php index 13bef1142f..e468cc8bfc 100644 --- a/roles/deploy/files/tmp_multisite_constants.php +++ b/roles/deploy/files/tmp_multisite_constants.php @@ -2,3 +2,6 @@ error_reporting(E_ALL & ~E_NOTICE); define('MULTISITE', false); define('SUBDOMAIN_INSTALL', false); +define('WPMU_PLUGIN_DIR', null); +define('WP_PLUGIN_DIR', null); +define('WP_USE_THEMES', false); From 28d5e773ee309a427c1f7d3ac2fc5fdb854a8ac0 Mon Sep 17 00:00:00 2001 From: QWp6t Date: Sat, 25 Mar 2017 14:40:54 -0700 Subject: [PATCH 190/292] Skip plugins & themes during `wp_installed` --- roles/deploy/hooks/finalize-before.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/deploy/hooks/finalize-before.yml b/roles/deploy/hooks/finalize-before.yml index 1b3a2d03de..5ab2ac2bf1 100644 --- a/roles/deploy/hooks/finalize-before.yml +++ b/roles/deploy/hooks/finalize-before.yml @@ -5,7 +5,7 @@ dest: "{{ deploy_helper.shared_path }}/tmp_multisite_constants.php" - name: WordPress Installed? - command: wp core is-installed --require={{ deploy_helper.shared_path }}/tmp_multisite_constants.php + command: wp core is-installed --skip-plugins --skip-themes --require={{ deploy_helper.shared_path }}/tmp_multisite_constants.php args: chdir: "{{ deploy_helper.new_release_path }}" register: wp_installed From cdb28c013f2c890c03442350f6211cbc6ae9277c Mon Sep 17 00:00:00 2001 From: QWp6t Date: Sun, 26 Mar 2017 04:04:11 -0700 Subject: [PATCH 191/292] Add cron task for multisite --- roles/wordpress-setup/tasks/main.yml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/roles/wordpress-setup/tasks/main.yml b/roles/wordpress-setup/tasks/main.yml index 28e5fe7bed..b7f578c875 100644 --- a/roles/wordpress-setup/tasks/main.yml +++ b/roles/wordpress-setup/tasks/main.yml @@ -49,4 +49,14 @@ job: "cd {{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }} && wp cron event run --due-now > /dev/null 2>&1" cron_file: "wordpress-{{ item.key | replace('.', '_') }}" with_dict: "{{ wordpress_sites }}" - when: site_env.disable_wp_cron and not item.value.multisite.enabled | default(false) + when: site_env.disable_wp_cron | default(false) + +- name: Setup WP Multisite system cron + cron: + name: "{{ item.key }} WordPress network cron" + minute: "*/30" + user: "{{ web_user }}" + job: "cd {{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }} && wp site list --field=url | xargs -n1 -I \\% wp --url=\\% cron event run --due-now > /dev/null 2>&1" + cron_file: "wordpress-multisite-{{ item.key | replace('.', '_') }}" + with_dict: "{{ wordpress_sites }}" + when: site_env.disable_wp_cron and item.value.multisite.enabled | default(false) From bfde978f8d4a2fdb545970ed6bc0428ab90815d9 Mon Sep 17 00:00:00 2001 From: Mehdi Lahlou Date: Thu, 30 Mar 2017 01:49:59 +0200 Subject: [PATCH 192/292] Fix #806 - Strip www. prefix for multisite server names in Nginx --- roles/wordpress-setup/templates/wordpress-site.conf.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index 5b520e215a..240b3dc45e 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -5,7 +5,7 @@ server { {% block server_id -%} listen {{ ssl_enabled | ternary('443 ssl http2', '80') }}; - server_name {% for host in site_hosts_canonical %}{{ host }} {% if item.value.multisite.subdomains | default(false) %}*.{{ host }} {% endif %}{% endfor %}; + server_name {{ site_hosts_canonical | join(' ') }}{% if item.value.multisite.subdomains | default(false) %} *.{{ site_hosts_canonical | map('regex_replace', '^www\.', '') | join(' *.') }}{% endif %}; {% endblock %} {% block logs -%} @@ -157,7 +157,7 @@ server { # Redirect to https server { listen 80; - server_name {{ site_hosts | join(' ') }}{% if item.value.multisite.subdomains | default(false) %} *.{{ site_hosts_canonical | join(' *.') }}{% endif %}; + server_name {{ site_hosts | join(' ') }}{% if item.value.multisite.subdomains | default(false) %} *.{{ site_hosts_canonical | map('regex_replace', '^www\.', '') | join(' *.') }}{% endif %}; {{ self.acme_challenge() -}} From ebcf36cb082407e6f3bcfc84f4b8fd6db864df87 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Wed, 29 Mar 2017 19:17:10 -0600 Subject: [PATCH 193/292] Ansible 2.2.2 compatibility Prior to Ansible 2.2.2, a registered var from a non-looping skipped task was undefined. As of Ansible 2.2.2, such a var is defined. This commit changes a subsequent task's conditional to no longer rely on the registered var's inconsistent status as defined/undefined. --- roles/deploy/tasks/prepare.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/deploy/tasks/prepare.yml b/roles/deploy/tasks/prepare.yml index 811ac7a547..e02b29142e 100644 --- a/roles/deploy/tasks/prepare.yml +++ b/roles/deploy/tasks/prepare.yml @@ -16,7 +16,7 @@ - name: Fail if repo_subtree_path is set incorrectly fail: msg: "repo subtree is set to '{{ project.repo_subtree_path }}' but that path does not exist in the repo. Edit `repo_subtree_path` for '{{ site }}' in `wordpress_sites.yml`." - when: project_subtree_full_path is defined and not project_subtree_full_path.stat.exists + when: project.repo_subtree_path is defined and not project_subtree_full_path.stat.exists - name: Create new release dir file: From 5d62713f499dc72b92811212be3591aa469f0575 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Wed, 29 Mar 2017 19:45:25 -0600 Subject: [PATCH 194/292] Remove unused registered var generate_account_key --- roles/letsencrypt/tasks/setup.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/letsencrypt/tasks/setup.yml b/roles/letsencrypt/tasks/setup.yml index 69aa77a700..6c0d6afcc7 100644 --- a/roles/letsencrypt/tasks/setup.yml +++ b/roles/letsencrypt/tasks/setup.yml @@ -36,7 +36,6 @@ shell: openssl genrsa 4096 > {{ letsencrypt_account_key }} args: creates: "{{ letsencrypt_account_key }}" - register: generate_account_key when: letsencrypt_account_key_source_content is not defined and letsencrypt_account_key_source_file is not defined - name: Download intermediate certificate From bb525470fe77b0921392238c0c602e8727ec33b7 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Wed, 5 Apr 2017 11:59:16 -0600 Subject: [PATCH 195/292] Accommodate Ansible 2.1's new loop_var in output formatting (#817) Prevents the following error that resulted from hard-coded 'item' loop_var: [WARNING]: Failure using method (v2_runner_item_on_skipped) in callback plugin (): 'item' --- lib/trellis/utils/output.py | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/lib/trellis/utils/output.py b/lib/trellis/utils/output.py index 8349952aff..36c872d7fa 100644 --- a/lib/trellis/utils/output.py +++ b/lib/trellis/utils/output.py @@ -50,11 +50,16 @@ def reset_task_info(obj, task=None): # Display dict key only, instead of full json dump def replace_item_with_key(obj, result): - if not obj._display.verbosity: - if 'key' in result._result['item']: - result._result['item'] = result._result['item']['key'] - elif 'item' in result._result['item'] and 'key' in result._result['item']['item']: - result._result['item'] = result._result['item']['item']['key'] + if not obj._display.verbosity and 'label' not in result._task._ds.get('loop_control', {}): + item = '_ansible_item_label' if '_ansible_item_label' in result._result else 'item' + if 'key' in result._result[item]: + result._result[item] = result._result[item]['key'] + elif type(result._result[item]) is dict: + subitem = '_ansible_item_label' if '_ansible_item_label' in result._result[item] else 'item' + if 'key' in result._result[item].get(subitem, {}): + result._result[item] = result._result[item][subitem]['key'] + elif '_ansible_item_label' in result._result[item]: + result._result[item] = result._result[item]['_ansible_item_label'] def display(obj, result): msg = '' From 7c159ff4c3adbf7b51594ebdebd7ef920eeaedeb Mon Sep 17 00:00:00 2001 From: strarsis Date: Wed, 5 Apr 2017 20:38:00 +0200 Subject: [PATCH 196/292] Accommodate deploy hook vars formatted as lists of includes (#815) * Use lists for hooks. * Move deploy hook variables to defaults/. * Add loop_control/loop_var to hooks. --- CHANGELOG.md | 1 + deploy.yml | 4 ---- roles/deploy/defaults/main.yml | 16 ++++++++++++++++ roles/deploy/tasks/build.yml | 10 ++++++++-- roles/deploy/tasks/finalize.yml | 10 ++++++++-- roles/deploy/tasks/initialize.yml | 10 ++++++++-- roles/deploy/tasks/main.yml | 12 ++++++++++-- roles/deploy/tasks/prepare.yml | 10 ++++++++-- roles/deploy/tasks/share.yml | 10 ++++++++-- roles/deploy/tasks/update.yml | 10 ++++++++-- 10 files changed, 75 insertions(+), 18 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d17fed1725..4d5fbdb414 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Accommodate deploy hook vars formatted as lists of includes ([#815](https://github.com/roots/trellis/pull/815)) * Check Ansible version before Ansible validates task attributes ([#797](https://github.com/roots/trellis/pull/797)) * Add additional Nginx sites configurations support ([#793](https://github.com/roots/trellis/pull/793)) * Change `remote-user` role to `connection` role: tests host key, user ([#745](https://github.com/roots/trellis/pull/745)) diff --git a/deploy.yml b/deploy.yml index 918cd9a8e1..b74fb56d2e 100644 --- a/deploy.yml +++ b/deploy.yml @@ -16,10 +16,6 @@ remote_user: "{{ web_user }}" vars: - deploy_build_before: "{{ playbook_dir }}/deploy-hooks/build-before.yml" - deploy_build_after: "{{ playbook_dir }}/roles/deploy/hooks/build-after.yml" - deploy_finalize_before: "{{ playbook_dir }}/roles/deploy/hooks/finalize-before.yml" - deploy_finalize_after: "{{ playbook_dir }}/roles/deploy/hooks/finalize-after.yml" project: "{{ wordpress_sites[site] }}" project_root: "{{ www_root }}/{{ site }}" wordpress_env_defaults: diff --git a/roles/deploy/defaults/main.yml b/roles/deploy/defaults/main.yml index 0e230fb7b2..76b1cbfe60 100644 --- a/roles/deploy/defaults/main.yml +++ b/roles/deploy/defaults/main.yml @@ -44,3 +44,19 @@ project_environment: # The project_current_path is the symlink used for the latest or active deployment # - default is 'current' project_current_path: "{{ project.current_path | default('current') }}" + + +# Deploy hooks +# For list of hooks and explanation, see https://roots.io/trellis/docs/deploys/#hooks +deploy_build_before: + - "{{ playbook_dir }}/deploy-hooks/build-before.yml" + +deploy_build_after: + - "{{ playbook_dir }}/roles/deploy/hooks/build-after.yml" + # - "{{ playbook_dir }}/deploy-hooks/sites/{{ site }}-build-after.yml" + +deploy_finalize_before: + - "{{ playbook_dir }}/roles/deploy/hooks/finalize-before.yml" + +deploy_finalize_after: + - "{{ playbook_dir }}/roles/deploy/hooks/finalize-after.yml" diff --git a/roles/deploy/tasks/build.yml b/roles/deploy/tasks/build.yml index 38f20d9974..7079c69207 100644 --- a/roles/deploy/tasks/build.yml +++ b/roles/deploy/tasks/build.yml @@ -1,5 +1,8 @@ --- -- include: "{{ deploy_build_before | default('../hooks/example.yml') }}" +- include: "{{ include_path }}" + with_items: "{{ deploy_build_before | default([]) }}" + loop_control: + loop_var: include_path tags: deploy-build-before - name: Copy project templates @@ -20,5 +23,8 @@ with_items: "{{ project_folder_paths.results }}" when: item.stat.exists -- include: "{{ deploy_build_after | default('../hooks/example.yml') }}" +- include: "{{ include_path }}" + with_items: "{{ deploy_build_after | default([]) }}" + loop_control: + loop_var: include_path tags: deploy-build-after diff --git a/roles/deploy/tasks/finalize.yml b/roles/deploy/tasks/finalize.yml index e21bccaf0e..e852b316a6 100644 --- a/roles/deploy/tasks/finalize.yml +++ b/roles/deploy/tasks/finalize.yml @@ -1,5 +1,8 @@ --- -- include: "{{ deploy_finalize_before | default('../hooks/example.yml') }}" +- include: "{{ include_path }}" + with_items: "{{ deploy_finalize_before | default([]) }}" + loop_control: + loop_var: include_path tags: deploy-finalize-before - name: Finalize the deploy @@ -9,7 +12,10 @@ release: "{{ deploy_helper.new_release }}" state: finalize -- include: "{{ deploy_finalize_after | default('../hooks/example.yml') }}" +- include: "{{ include_path }}" + with_items: "{{ deploy_finalize_after | default([]) }}" + loop_control: + loop_var: include_path tags: deploy-finalize-after - debug: diff --git a/roles/deploy/tasks/initialize.yml b/roles/deploy/tasks/initialize.yml index ed175524aa..253ed088db 100644 --- a/roles/deploy/tasks/initialize.yml +++ b/roles/deploy/tasks/initialize.yml @@ -1,5 +1,8 @@ --- -- include: "{{ deploy_initialize_before | default('../hooks/example.yml') }}" +- include: "{{ include_path }}" + with_items: "{{ deploy_initialize_before | default([]) }}" + loop_control: + loop_var: include_path tags: deploy-initialize-before - name: Initialize @@ -8,5 +11,8 @@ path: "{{ project_root }}" state: present -- include: "{{ deploy_initialize_after | default('../hooks/example.yml') }}" +- include: "{{ include_path }}" + with_items: "{{ deploy_initialize_after | default([]) }}" + loop_control: + loop_var: include_path tags: deploy-initialize-after diff --git a/roles/deploy/tasks/main.yml b/roles/deploy/tasks/main.yml index 255279c1e2..579fdc653a 100644 --- a/roles/deploy/tasks/main.yml +++ b/roles/deploy/tasks/main.yml @@ -1,11 +1,19 @@ --- -- include: "{{ deploy_before | default('../hooks/example.yml') }}" +- include: "{{ include_path }}" + with_items: "{{ deploy_before | default([]) }}" + loop_control: + loop_var: include_path tags: deploy-before + - include: initialize.yml - include: update.yml - include: prepare.yml - include: build.yml - include: share.yml - include: finalize.yml -- include: "{{ deploy_after | default('../hooks/example.yml') }}" + +- include: "{{ include_path }}" + with_items: "{{ deploy_after | default([]) }}" + loop_control: + loop_var: include_path tags: deploy-after diff --git a/roles/deploy/tasks/prepare.yml b/roles/deploy/tasks/prepare.yml index e02b29142e..1d3e75dd5d 100644 --- a/roles/deploy/tasks/prepare.yml +++ b/roles/deploy/tasks/prepare.yml @@ -1,5 +1,8 @@ --- -- include: "{{ deploy_prepare_before | default('../hooks/example.yml') }}" +- include: "{{ include_path }}" + with_items: "{{ deploy_prepare_before | default([]) }}" + loop_control: + loop_var: include_path tags: deploy-prepare-before - name: write unfinished file @@ -35,5 +38,8 @@ chdir: "{{ project_source_path }}" when: project.repo_subtree_path is defined -- include: "{{ deploy_prepare_after | default('../hooks/example.yml') }}" +- include: "{{ include_path }}" + with_items: "{{ deploy_prepare_after | default([]) }}" + loop_control: + loop_var: include_path tags: deploy-prepare-after diff --git a/roles/deploy/tasks/share.yml b/roles/deploy/tasks/share.yml index 62ded1a0f3..859834448e 100644 --- a/roles/deploy/tasks/share.yml +++ b/roles/deploy/tasks/share.yml @@ -1,5 +1,8 @@ --- -- include: "{{ deploy_share_before | default('../hooks/example.yml') }}" +- include: "{{ include_path }}" + with_items: "{{ deploy_share_before | default([]) }}" + loop_control: + loop_var: include_path tags: deploy-share-before - name: Ensure shared sources are present -- directories @@ -45,5 +48,8 @@ state: link with_items: "{{ project_shared_children }}" -- include: "{{ deploy_share_after | default('../hooks/example.yml') }}" +- include: "{{ include_path }}" + with_items: "{{ deploy_share_after | default([]) }}" + loop_control: + loop_var: include_path tags: deploy-share-after diff --git a/roles/deploy/tasks/update.yml b/roles/deploy/tasks/update.yml index 893a1b7987..c24fedc9c5 100644 --- a/roles/deploy/tasks/update.yml +++ b/roles/deploy/tasks/update.yml @@ -1,5 +1,8 @@ --- -- include: "{{ deploy_update_before | default('../hooks/example.yml') }}" +- include: "{{ include_path }}" + with_items: "{{ deploy_update_before | default([]) }}" + loop_control: + loop_var: include_path tags: deploy-update-before - name: Add known_hosts @@ -48,5 +51,8 @@ > https://roots.io/trellis/docs/ssh-keys/#cloning-remote-repo-using-ssh-agent-forwarding when: git_clone | failed -- include: "{{ deploy_update_after | default('../hooks/example.yml') }}" +- include: "{{ include_path }}" + with_items: "{{ deploy_update_after | default([]) }}" + loop_control: + loop_var: include_path tags: deploy-update-after From 41e661b32cdf871ff174288bd5ca151e9613ddb8 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Thu, 6 Apr 2017 08:36:25 -0600 Subject: [PATCH 197/292] Make the to_env filter escape single quote chars (#819) The to_env filter wraps values in single quotes. A single quote in a var value leads phpdotenv to misinterpret the value, like this: EXAMPLE_VAR: 'xxxx'xxxxx' The edit in this commit escapes single quote chars, like this: EXAMPLE_VAR: 'xxxx\'xxxxx' --- lib/trellis/plugins/filter/filters.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/trellis/plugins/filter/filters.py b/lib/trellis/plugins/filter/filters.py index 1b2e0bb92e..05ad4276ed 100644 --- a/lib/trellis/plugins/filter/filters.py +++ b/lib/trellis/plugins/filter/filters.py @@ -8,7 +8,7 @@ from ansible.compat.six import string_types def to_env(dict_value): - envs = ["{0}='{1}'".format(key.upper(), value) for key, value in sorted(dict_value.items())] + envs = ["{0}='{1}'".format(key.upper(), str(value).replace("'","\\'")) for key, value in sorted(dict_value.items())] return "\n".join(envs) def underscore(value): From a71851125b0043c6b86cf2b52a5ac0dd4fd43440 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Thu, 6 Apr 2017 08:38:27 -0600 Subject: [PATCH 198/292] Move vars out of deploy.yml (#820) For tidier deploy.yml and consistency of role vars in defaults/main.yml: * Moves unique vars to defaults/main.yml * Moves duplicate vars that must take precedence over group_vars to new roles/deploy/vars/main.yml --- deploy.yml | 18 ------------------ roles/deploy/defaults/main.yml | 5 +++++ roles/deploy/vars/main.yml | 11 +++++++++++ 3 files changed, 16 insertions(+), 18 deletions(-) create mode 100644 roles/deploy/vars/main.yml diff --git a/deploy.yml b/deploy.yml index b74fb56d2e..4b281b1be0 100644 --- a/deploy.yml +++ b/deploy.yml @@ -14,29 +14,12 @@ - name: Deploy WP site hosts: web:&{{ env }} remote_user: "{{ web_user }}" - - vars: - project: "{{ wordpress_sites[site] }}" - project_root: "{{ www_root }}/{{ site }}" - wordpress_env_defaults: - db_host: localhost - db_name: "{{ site | underscore }}_{{ env }}" - db_user: "{{ site | underscore }}" - disable_wp_cron: true - wp_env: "{{ env }}" - wp_home: "{{ project.ssl.enabled | default(false) | ternary('https', 'http') }}://{{ project.site_hosts | map(attribute='canonical') | first }}" - wp_siteurl: "{{ project.ssl.enabled | default(false) | ternary('https', 'http') }}://{{ project.site_hosts | map(attribute='canonical') | first }}/wp" - domain_current_site: "{{ project.site_hosts | map(attribute='canonical') | first }}" - site_env: "{{ wordpress_env_defaults | combine(project.env | default({}), vault_wordpress_sites[site].env) }}" - project_local_path: "{{ (lookup('env', 'USER') == 'vagrant') | ternary(project_root + '/' + project_current_path, project.local_path) }}" - pre_tasks: - name: Ensure site is valid connection: local fail: msg: "Site `{{ site | default('') }}` is not valid. Available sites to deploy: {{ wordpress_sites.keys() | join(', ') }}" when: wordpress_sites[site | default('')] is not defined - - name: Ensure repo is valid connection: local fail: @@ -46,6 +29,5 @@ More info: > https://roots.io/trellis/docs/deploys/ when: project.repo is not defined or not project.repo | match(".*@.*:.*\.git") - roles: - deploy diff --git a/roles/deploy/defaults/main.yml b/roles/deploy/defaults/main.yml index 76b1cbfe60..88e13aa6d0 100644 --- a/roles/deploy/defaults/main.yml +++ b/roles/deploy/defaults/main.yml @@ -45,6 +45,11 @@ project_environment: # - default is 'current' project_current_path: "{{ project.current_path | default('current') }}" +# Helpers +project: "{{ wordpress_sites[site] }}" +project_root: "{{ www_root }}/{{ site }}" +project_local_path: "{{ (lookup('env', 'USER') == 'vagrant') | ternary(project_root + '/' + project_current_path, project.local_path) }}" + # Deploy hooks # For list of hooks and explanation, see https://roots.io/trellis/docs/deploys/#hooks diff --git a/roles/deploy/vars/main.yml b/roles/deploy/vars/main.yml new file mode 100644 index 0000000000..cb51f14823 --- /dev/null +++ b/roles/deploy/vars/main.yml @@ -0,0 +1,11 @@ +wordpress_env_defaults: + db_host: localhost + db_name: "{{ site | underscore }}_{{ env }}" + db_user: "{{ site | underscore }}" + disable_wp_cron: true + wp_env: "{{ env }}" + wp_home: "{{ project.ssl.enabled | default(false) | ternary('https', 'http') }}://{{ project.site_hosts | map(attribute='canonical') | first }}" + wp_siteurl: "{{ project.ssl.enabled | default(false) | ternary('https', 'http') }}://{{ project.site_hosts | map(attribute='canonical') | first }}/wp" + domain_current_site: "{{ project.site_hosts | map(attribute='canonical') | first }}" + +site_env: "{{ wordpress_env_defaults | combine(project.env | default({}), vault_wordpress_sites[site].env) }}" From 3f82cd307ad70b6a505a98abe7dcfff9bc6b71ff Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Thu, 6 Apr 2017 08:39:07 -0600 Subject: [PATCH 199/292] Remove unnecessary with_dict loop in creating web root (#821) --- roles/wordpress-setup/tasks/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/wordpress-setup/tasks/main.yml b/roles/wordpress-setup/tasks/main.yml index 28e5fe7bed..76eef044cd 100644 --- a/roles/wordpress-setup/tasks/main.yml +++ b/roles/wordpress-setup/tasks/main.yml @@ -11,7 +11,6 @@ group: "{{ web_group }}" mode: 0755 state: directory - with_dict: "{{ wordpress_sites }}" - name: Create logs folder of sites file: From c1371e3bc231141e5703a4334f2048ef70486a95 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Thu, 6 Apr 2017 20:18:30 -0600 Subject: [PATCH 200/292] Use dynamic HostKeyAlgorithms SSH option for unknown hosts (#798) Resulting HostKeyAlgorithms option... - is omitted if host already in known_hosts - is omitted if `dynamic_host_key_algorithms: false` (default: true) - includes ed25519 types only if local machine has OpenSSH 6.5+ --- CHANGELOG.md | 1 + ansible.cfg | 2 +- roles/connection/defaults/main.yml | 5 +++++ roles/connection/tasks/main.yml | 30 ++++++++++++++++++++++++++++-- 4 files changed, 35 insertions(+), 3 deletions(-) create mode 100644 roles/connection/defaults/main.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 4d5fbdb414..93ec0f2a93 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Use dynamic HostKeyAlgorithms SSH option for unknown hosts ([#798](https://github.com/roots/trellis/pull/798)) * Accommodate deploy hook vars formatted as lists of includes ([#815](https://github.com/roots/trellis/pull/815)) * Check Ansible version before Ansible validates task attributes ([#797](https://github.com/roots/trellis/pull/797)) * Add additional Nginx sites configurations support ([#793](https://github.com/roots/trellis/pull/793)) diff --git a/ansible.cfg b/ansible.cfg index e200ee7a59..8181c710bf 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -10,5 +10,5 @@ roles_path = vendor/roles vars_plugins = ~/.ansible/plugins/vars_plugins/:/usr/share/ansible_plugins/vars_plugins:lib/trellis/plugins/vars [ssh_connection] -ssh_args = -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s -o HostKeyAlgorithms=ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa +ssh_args = -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s pipelining = True diff --git a/roles/connection/defaults/main.yml b/roles/connection/defaults/main.yml new file mode 100644 index 0000000000..f6c42a8444 --- /dev/null +++ b/roles/connection/defaults/main.yml @@ -0,0 +1,5 @@ +ansible_host_known: "{{ lookup('pipe', 'ssh-keygen -F ' + ansible_host + ' > /dev/null 2>&1 && echo True || echo False') }}" +ssh_config_host: "{{ lookup('pipe', 'ssh -G ' + ansible_host + ' 2>/dev/null | grep \"^hostname\" ||:') | regex_replace('^hostname ([^\\s]+)', '\\1') }}" +ssh_config_host_known: "{{ lookup('pipe', 'ssh-keygen -F ' + ssh_config_host + ' > /dev/null 2>&1 && echo True || echo False') }}" +openssh_6_5_plus: "{{ (lookup('pipe', 'ssh -V 2>&1')) | regex_replace('(.*OpenSSH_([\\d\\.]*).*)', '\\2') | version_compare('6.5', '>=') }}" +host_key_algorithms: "{{ openssh_6_5_plus | ternary('ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa', 'ssh-rsa-cert-v01@openssh.com,ssh-rsa') }}" diff --git a/roles/connection/tasks/main.yml b/roles/connection/tasks/main.yml index c56e1acd64..8f4ccf2a63 100644 --- a/roles/connection/tasks/main.yml +++ b/roles/connection/tasks/main.yml @@ -6,8 +6,20 @@ ansible-playbook server.yml -e env={{ env | default('production') }} -u root --ask-pass when: dynamic_user | default(true) and ansible_user is not defined and cli_ask_pass | default(false) +- name: Specify preferred HostKeyAlgorithms for unknown hosts + set_fact: + ansible_ssh_extra_args: -o HostKeyAlgorithms={{ host_key_algorithms }} + register: preferred_host_key_algorithms + when: + - dynamic_host_key_algorithms | default(true) + - ansible_ssh_extra_args == '' + - not (ansible_host_known or ssh_config_host_known) + - name: Check whether Ansible can connect as {{ dynamic_user | default(true) | ternary('root', web_user) }} - local_action: command ansible {{ inventory_hostname }} -m raw -a whoami -u {{ dynamic_user | default(true) | ternary('root', web_user) }} {{ cli_options | default('') }} -vvvv + local_action: | + command ansible {{ inventory_hostname }} -m raw -a whoami -u {{ dynamic_user | default(true) | ternary('root', web_user) }} + {{ ('--ssh-extra-args' not in cli_options) | ternary('--ssh-extra-args="' + ansible_ssh_extra_args + '"', '') }} + {{ cli_options | default('') }} -vvvv failed_when: false changed_when: false check_mode: no @@ -45,7 +57,21 @@ - name: Announce which user was selected debug: - msg: "Note: Ansible will attempt connections as user = {{ ansible_user }}" + msg: | + Note: Ansible will attempt connections as user = {{ ansible_user }} + {% if preferred_host_key_algorithms | changed %} + + Note: The host `{{ ansible_host }}` was not detected in known_hosts + so Trellis prompted the host to offer a key type that will work with + the stronger key types Trellis configures on the server. This avoids future + connection failures due to changed host keys. Trellis used this SSH option: + + {{ ansible_ssh_extra_args }} + + To prevent Trellis from ever using this SSH option, add this to group_vars: + + dynamic_host_key_algorithms: false + {% endif %} - name: Load become password set_fact: From 4da9d734a760d3e6264ea0b4034ecc42e11bd5b3 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Fri, 7 Apr 2017 17:20:42 -0600 Subject: [PATCH 201/292] Fix conditional for dynamic HostKeyAlgorithms msg (#822) When the set_fact task runs, it has status 'ok', not 'changed'. Thus to check whether the ansible_ssh_extra_args var was dynamically set, the condition must check whether or not the set_fact task skipped. --- roles/connection/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/connection/tasks/main.yml b/roles/connection/tasks/main.yml index 8f4ccf2a63..c7f6df9cc1 100644 --- a/roles/connection/tasks/main.yml +++ b/roles/connection/tasks/main.yml @@ -59,7 +59,7 @@ debug: msg: | Note: Ansible will attempt connections as user = {{ ansible_user }} - {% if preferred_host_key_algorithms | changed %} + {% if not preferred_host_key_algorithms | skipped %} Note: The host `{{ ansible_host }}` was not detected in known_hosts so Trellis prompted the host to offer a key type that will work with From 4b32632e67ea6d14372b93fca519c915cc19ac27 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 7 Apr 2017 20:07:47 -0400 Subject: [PATCH 202/292] Add wordpress_sites validations This will catch a common error of forgetting to update site names/keys in both `wordpress_sites` and `vault_wordpress_sites`. --- CHANGELOG.md | 1 + local.yml | 11 +++++++++++ roles/common/tasks/main.yml | 6 ++++++ roles/common/templates/wordpress_sites.j2 | 10 ++++++++++ 4 files changed, 28 insertions(+) create mode 100644 local.yml create mode 100644 roles/common/templates/wordpress_sites.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index 93ec0f2a93..1b893a93ad 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Add vault_wordpress_sites validation ([#823](https://github.com/roots/trellis/pull/823)) * Use dynamic HostKeyAlgorithms SSH option for unknown hosts ([#798](https://github.com/roots/trellis/pull/798)) * Accommodate deploy hook vars formatted as lists of includes ([#815](https://github.com/roots/trellis/pull/815)) * Check Ansible version before Ansible validates task attributes ([#797](https://github.com/roots/trellis/pull/797)) diff --git a/local.yml b/local.yml new file mode 100644 index 0000000000..c351e84703 --- /dev/null +++ b/local.yml @@ -0,0 +1,11 @@ +--- +- name: "WordPress Server: Install LEMP Stack with PHP 7.0 and MariaDB MySQL" + hosts: localhost + connection: local + + tasks: + - name: Validate wordpress_sites + fail: + msg: "test" + when: wordpress_sites.keys() | sort != vault_wordpress_sites.keys() | sort + tags: [wordpress] diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index b5a37ab91d..f6a59531b8 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -1,4 +1,10 @@ --- +- name: Validate wordpress_sites + fail: + msg: "{{ lookup('template', 'wordpress_sites.j2') }}" + when: wordpress_sites.keys() | difference(vault_wordpress_sites.keys()) | count + tags: [wordpress] + - name: Validate format of site_hosts fail: msg: "{{ lookup('template', 'site_hosts.j2') }}" diff --git a/roles/common/templates/wordpress_sites.j2 b/roles/common/templates/wordpress_sites.j2 new file mode 100644 index 0000000000..a0d10c981a --- /dev/null +++ b/roles/common/templates/wordpress_sites.j2 @@ -0,0 +1,10 @@ +Invalid WordPress sites configuration: site names in `wordpress_sites` must have matching entry in `vault_wordpress_sites`. + +Sites without a matching vault entry: +{% for name in wordpress_sites.keys() | difference(vault_wordpress_sites.keys()) %} +* `{{ name }}` +{% endfor %} + +Update `group_vars/{{ env }}/vault_wordpress_sites.yml` to continue. + +Docs: https://roots.io/trellis/docs/wordpress-sites/#passwordssecrets From 448bbc028bf52c047ebe4a5a0ddf38f591c09cc0 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 7 Apr 2017 20:42:39 -0400 Subject: [PATCH 203/292] :cop: --- local.yml | 11 ----------- 1 file changed, 11 deletions(-) delete mode 100644 local.yml diff --git a/local.yml b/local.yml deleted file mode 100644 index c351e84703..0000000000 --- a/local.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -- name: "WordPress Server: Install LEMP Stack with PHP 7.0 and MariaDB MySQL" - hosts: localhost - connection: local - - tasks: - - name: Validate wordpress_sites - fail: - msg: "test" - when: wordpress_sites.keys() | sort != vault_wordpress_sites.keys() | sort - tags: [wordpress] From c7ad193c578b4af98708682436e6956d858a007d Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 7 Apr 2017 20:43:21 -0400 Subject: [PATCH 204/292] 1.0.0-rc.1 --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1b893a93ad..8134f7b719 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,4 @@ -### HEAD +### 1.0.0-rc.1: April 7th, 2017 * Add vault_wordpress_sites validation ([#823](https://github.com/roots/trellis/pull/823)) * Use dynamic HostKeyAlgorithms SSH option for unknown hosts ([#798](https://github.com/roots/trellis/pull/798)) * Accommodate deploy hook vars formatted as lists of includes ([#815](https://github.com/roots/trellis/pull/815)) From dd4cc701f2c9e257890d1e426a470e267675698a Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sun, 9 Apr 2017 18:37:16 -0400 Subject: [PATCH 205/292] Remove db_import option This option is used to import a local SQL dump file into the database. It was seldom used and could be dangerous. This option would cause the DB to be imported *every* provision which could overwrite data. As an alternative for most DB operations, we always recommend using WP CLI. Example: `wp db import dbname.sql` --- CHANGELOG.md | 3 +++ roles/wordpress-setup/tasks/database.yml | 19 ------------------- 2 files changed, 3 insertions(+), 19 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8134f7b719..2d53ae5c7c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +### HEAD +* Remove potentially dangerous `db_import` option ([#825](https://github.com/roots/trellis/pull/825)) + ### 1.0.0-rc.1: April 7th, 2017 * Add vault_wordpress_sites validation ([#823](https://github.com/roots/trellis/pull/823)) * Use dynamic HostKeyAlgorithms SSH option for unknown hosts ([#798](https://github.com/roots/trellis/pull/798)) diff --git a/roles/wordpress-setup/tasks/database.yml b/roles/wordpress-setup/tasks/database.yml index d4a8e74282..b1775e8917 100644 --- a/roles/wordpress-setup/tasks/database.yml +++ b/roles/wordpress-setup/tasks/database.yml @@ -22,22 +22,3 @@ login_password: "{{ mysql_root_password }}" with_dict: "{{ wordpress_sites }}" when: site_uses_local_db and item.value.db_create | default(True) - -- name: Copy database dump - copy: - src: "{{ item.value.db_import }}" - dest: /tmp - with_dict: "{{ wordpress_sites }}" - when: item.value.db_import | default(False) - -- name: Import database - mysql_db: - name: "{{ site_env.db_name }}" - state: import - target: "/tmp/{{ item.value.db_import | basename }}" - login_host: "{{ site_env.db_host }}" - login_user: "{{ site_env.db_user }}" - login_password: "{{ site_env.db_password }}" - with_dict: "{{ wordpress_sites }}" - when: item.value.db_import | default(False) - notify: reload nginx From 675cbcd5155f92ccb3721912946063c395e89bc9 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sun, 9 Apr 2017 19:28:31 -0400 Subject: [PATCH 206/292] Use a block --- roles/wordpress-setup/tasks/database.yml | 45 ++++++++++++------------ 1 file changed, 23 insertions(+), 22 deletions(-) diff --git a/roles/wordpress-setup/tasks/database.yml b/roles/wordpress-setup/tasks/database.yml index b1775e8917..bde2f14f30 100644 --- a/roles/wordpress-setup/tasks/database.yml +++ b/roles/wordpress-setup/tasks/database.yml @@ -1,24 +1,25 @@ --- -- name: Create database of sites - mysql_db: - name: "{{ site_env.db_name }}" - state: present - login_host: "{{ site_env.db_host }}" - login_user: "{{ mysql_root_user }}" - login_password: "{{ mysql_root_password }}" - with_dict: "{{ wordpress_sites }}" - when: site_uses_local_db and item.value.db_create | default(True) +- block: + - name: Create database of sites + mysql_db: + name: "{{ site_env.db_name }}" + state: present + login_host: "{{ site_env.db_host }}" + login_user: "{{ mysql_root_user }}" + login_password: "{{ mysql_root_password }}" + with_dict: "{{ wordpress_sites }}" -- name: Create/assign database user to db and grant permissions - mysql_user: - name: "{{ site_env.db_user }}" - password: "{{ site_env.db_password }}" - host: "{{ site_env.db_user_host }}" - append_privs: yes - priv: "{{ site_env.db_name }}.*:ALL" - state: present - login_host: "{{ site_env.db_host }}" - login_user: "{{ mysql_root_user }}" - login_password: "{{ mysql_root_password }}" - with_dict: "{{ wordpress_sites }}" - when: site_uses_local_db and item.value.db_create | default(True) + - name: Create/assign database user to db and grant permissions + mysql_user: + name: "{{ site_env.db_user }}" + password: "{{ site_env.db_password }}" + host: "{{ site_env.db_user_host }}" + append_privs: yes + priv: "{{ site_env.db_name }}.*:ALL" + state: present + login_host: "{{ site_env.db_host }}" + login_user: "{{ mysql_root_user }}" + login_password: "{{ mysql_root_password }}" + with_dict: "{{ wordpress_sites }}" + + when: site_uses_local_db and item.value.db_create | default(true) From f948df133c92cf13516c5f0cc00cdde773068e47 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Wed, 12 Apr 2017 17:18:50 -0600 Subject: [PATCH 207/292] Deploys: Make wp core update-db optional (#827) Users with large network databases may choose to disable this option to avoid long processing time. --- roles/deploy/defaults/main.yml | 3 +++ roles/deploy/hooks/finalize-after.yml | 14 ++++---------- 2 files changed, 7 insertions(+), 10 deletions(-) diff --git a/roles/deploy/defaults/main.yml b/roles/deploy/defaults/main.yml index 88e13aa6d0..8e04496fff 100644 --- a/roles/deploy/defaults/main.yml +++ b/roles/deploy/defaults/main.yml @@ -45,6 +45,9 @@ project_environment: # - default is 'current' project_current_path: "{{ project.current_path | default('current') }}" +# Whether to run `wp core update-db` at end of each deploy +update_db_on_deploy: true + # Helpers project: "{{ wordpress_sites[site] }}" project_root: "{{ www_root }}/{{ site }}" diff --git a/roles/deploy/hooks/finalize-after.yml b/roles/deploy/hooks/finalize-after.yml index 903f41c4fa..47712dcebc 100644 --- a/roles/deploy/hooks/finalize-after.yml +++ b/roles/deploy/hooks/finalize-after.yml @@ -1,21 +1,15 @@ --- - block: - - name: Update WP database - command: wp core update-db - args: - chdir: "{{ deploy_helper.current_path }}" - when: not project.multisite.enabled | default(false) - - name: Warn about updating network database. debug: msg: "Updating the network database could take a long time with a large number of sites." - when: project.multisite.enabled | default(false) + when: project.update_db_on_deploy | default(update_db_on_deploy) and project.multisite.enabled | default(false) - - name: Update WP network database - command: wp core update-db --network + - name: Update WP database + command: wp core update-db {{ project.multisite.enabled | default(false) | ternary('--network', '') }} args: chdir: "{{ deploy_helper.current_path }}" - when: project.multisite.enabled | default(false) + when: project.update_db_on_deploy | default(update_db_on_deploy) - name: Get WP theme template root command: wp option get template_root From 0d22b19548ddbc97059bd8b0ca45451c51f18d98 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Thu, 30 Mar 2017 11:30:19 -0600 Subject: [PATCH 208/292] Update connection test for new dense.py callback in Ansible 2.3 stdout_lines of whoami with -vvvv formerly included `root` but now will include ansi code prefix: `\e[0;32mroot`. Connection as root will always appear to have failed unless Trellis checks for this revised string. --- roles/connection/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/connection/tasks/main.yml b/roles/connection/tasks/main.yml index c7f6df9cc1..b550e77c10 100644 --- a/roles/connection/tasks/main.yml +++ b/roles/connection/tasks/main.yml @@ -52,7 +52,7 @@ - block: - name: Set remote user for each host set_fact: - ansible_user: "{{ ansible_user | default(('root' in connection_status.stdout_lines) | ternary('root', admin_user)) }}" + ansible_user: "{{ ansible_user | default((connection_status.stdout_lines | intersect(['root', '\e[0;32mroot']) | count) | ternary('root', admin_user)) }}" check_mode: no - name: Announce which user was selected From 3f1497fcb4dd3901d15149fb6c64ca5cf5a42c1b Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Thu, 30 Mar 2017 12:06:20 -0600 Subject: [PATCH 209/292] Remove jinja delimiters from tasks' when parameter Prevents related warnings introduced in Ansible 2.3 ansible/ansible#ff20ab7 --- roles/nginx/tasks/main.yml | 2 +- roles/wordpress-install/tasks/main.yml | 2 +- roles/wp-cli/tasks/main.yml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 5ca6c871b9..180e0101e7 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -21,7 +21,7 @@ args: chdir: "{{ nginx_path }}/ssl" creates: "{{ nginx_path }}/ssl/dhparams.pem" - when: true in [{% for key, site in wordpress_sites.iteritems() %}{{ site.ssl.enabled }},{% endfor %}] + when: wordpress_sites.values() | map(attribute='ssl') | selectattr('enabled') | list | count notify: reload nginx tags: [diffie-hellman] diff --git a/roles/wordpress-install/tasks/main.yml b/roles/wordpress-install/tasks/main.yml index 3e1effb15f..5545d5fbb7 100644 --- a/roles/wordpress-install/tasks/main.yml +++ b/roles/wordpress-install/tasks/main.yml @@ -14,7 +14,7 @@ command: rsync -ac --info=NAME /tmp/{{ item.key }}.env {{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/.env with_dict: "{{ wordpress_sites }}" register: env_file - changed_when: env_file.stdout == "{{ item.key }}.env" + changed_when: env_file.stdout == item.key + '.env' - name: Add known_hosts known_hosts: diff --git a/roles/wp-cli/tasks/main.yml b/roles/wp-cli/tasks/main.yml index 9c7908bd83..6f73c31e55 100644 --- a/roles/wp-cli/tasks/main.yml +++ b/roles/wp-cli/tasks/main.yml @@ -9,7 +9,7 @@ args: warn: false register: wp_cli - changed_when: wp_cli.stdout == "wp-cli{{ wp_cli_version }}.phar" + changed_when: wp_cli.stdout == 'wp-cli-' + wp_cli_version + '.phar' - name: Retrieve WP-CLI tab completions command: curl -4Ls {{ wp_cli_completion_url }} -o /tmp/wp-completion-{{ wp_cli_version }}.bash @@ -22,4 +22,4 @@ args: warn: false register: wp_cli_completion - changed_when: wp_cli_completion.stdout == "wp-completion-{{ wp_cli_version }}.bash" + changed_when: wp_cli_completion.stdout == 'wp-completion-' + wp_cli_version + '.bash' From cbf499cb8f7918677c39a4b528884dd2f278072b Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Thu, 30 Mar 2017 12:20:50 -0600 Subject: [PATCH 210/292] Avoid single var containing jinja delimiters in when parameter A single var in a `when` parameter will be expanded and the var's jinja delimiters will trigger related warnings introduced in Ansible 2.3 ansible/ansible#ff20ab7 --- CHANGELOG.md | 1 + roles/letsencrypt/defaults/main.yml | 5 ++--- roles/letsencrypt/tasks/nginx.yml | 8 ++++++-- server.yml | 2 +- 4 files changed, 10 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2d53ae5c7c..59569f6a00 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Ansible 2.3 compatibility ([#813](https://github.com/roots/trellis/pull/813)) * Remove potentially dangerous `db_import` option ([#825](https://github.com/roots/trellis/pull/825)) ### 1.0.0-rc.1: April 7th, 2017 diff --git a/roles/letsencrypt/defaults/main.yml b/roles/letsencrypt/defaults/main.yml index ec10aa7d20..b6ad540cc5 100644 --- a/roles/letsencrypt/defaults/main.yml +++ b/roles/letsencrypt/defaults/main.yml @@ -1,7 +1,6 @@ sites_using_letsencrypt: "[{% for name, site in wordpress_sites.iteritems() if site.ssl.enabled and site.ssl.provider | default('manual') == 'letsencrypt' %}'{{ name }}',{% endfor %}]" -letsencrypt_enabled: "{{ sites_using_letsencrypt | count }}" -site_uses_letsencrypt: "{{ ssl_enabled and item.value.ssl.provider | default('manual') == 'letsencrypt' }}" -missing_hosts: "{{ site_uses_letsencrypt | ternary(site_hosts, []) | difference((current_hosts.results | selectattr('item.key', 'equalto', item.key) | selectattr('stdout_lines', 'defined') | sum(attribute='stdout_lines', start=[]) | map('trim') | list | join(' ')).split(' ')) }}" +site_uses_letsencrypt: ssl_enabled and item.value.ssl.provider | default('manual') == 'letsencrypt' +missing_hosts: "{{ site_hosts | difference((current_hosts.results | selectattr('item.key', 'equalto', item.key) | selectattr('stdout_lines', 'defined') | sum(attribute='stdout_lines', start=[]) | map('trim') | list | join(' ')).split(' ')) }}" letsencrypt_cert_ids: "{ {% for item in (generate_cert_ids | default({'results':[{'skipped':True}]})).results if not item | skipped %}'{{ item.item.key }}':'{{ item.stdout }}', {% endfor %} }" acme_tiny_repo: 'https://github.com/diafygi/acme-tiny.git' diff --git a/roles/letsencrypt/tasks/nginx.yml b/roles/letsencrypt/tasks/nginx.yml index 508c259acf..981fb3bce1 100644 --- a/roles/letsencrypt/tasks/nginx.yml +++ b/roles/letsencrypt/tasks/nginx.yml @@ -18,7 +18,9 @@ src: nginx-challenge-site.conf.j2 dest: "{{ nginx_path }}/sites-available/letsencrypt-{{ item.key }}.conf" register: challenge_site_confs - when: missing_hosts | count + when: + - site_uses_letsencrypt + - missing_hosts | count with_dict: "{{ wordpress_sites }}" - name: Enable Nginx sites @@ -27,7 +29,9 @@ dest: "{{ nginx_path }}/sites-enabled/letsencrypt-{{ item.key }}.conf" state: link register: challenge_sites_enabled - when: missing_hosts | count + when: + - site_uses_letsencrypt + - missing_hosts | count with_dict: "{{ wordpress_sites }}" notify: disable temporary challenge sites diff --git a/server.yml b/server.yml index ec5df22001..8a67461667 100644 --- a/server.yml +++ b/server.yml @@ -38,5 +38,5 @@ - { role: logrotate, tags: [logrotate] } - { role: composer, tags: [composer] } - { role: wp-cli, tags: [wp-cli] } - - { role: letsencrypt, tags: [letsencrypt], when: letsencrypt_enabled } + - { role: letsencrypt, tags: [letsencrypt], when: sites_using_letsencrypt | count } - { role: wordpress-setup, tags: [wordpress, wordpress-setup, letsencrypt] } From 28eb441fc268af40c4603ef4919d865cfb1f5837 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sat, 15 Apr 2017 16:22:30 -0600 Subject: [PATCH 211/292] Use python slice on password salt instead of Jinja2 truncate() Installing Ansible 2.3 installs Jinja2 v2.9.6 (up from v2.8.1). Jinja2 v 2.9.4 changed the truncate.leeway default from 0 to 5 chars, resulting in no truncation for salts up to 21 characters, potentially causing `salt too large (sha512_crypt requires <= 16 chars)` failure. Adding a final parameter `0` (leeway) resolves the issue in Ansible 2.3, but fails on earlier versions with Jinja2 < 2.9.4, causing the error `do_truncate() takes at most 4 arguments (5 given)`. This commit switches to python slice [:16] because it works in all contexts. --- roles/users/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml index 8a126199f0..84e27667f8 100644 --- a/roles/users/tasks/main.yml +++ b/roles/users/tasks/main.yml @@ -33,7 +33,7 @@ name: "{{ item.name }}" group: "{{ item.groups[0] }}" groups: "{{ item.groups | join(',') }}" - password: '{% for user in vault_users | default([]) if user.name == item.name and user.password is defined %}{{ user.password | password_hash("sha512", user.salt | default("") | truncate(16, true, "") | regex_replace("[^\.\/a-zA-Z0-9]", "x")) }}{% else %}{{ None }}{% endfor %}' + password: '{% for user in vault_users | default([]) if user.name == item.name and user.password is defined %}{{ user.password | password_hash("sha512", (user.salt | default(""))[:16] | regex_replace("[^\.\/a-zA-Z0-9]", "x")) }}{% else %}{{ None }}{% endfor %}' state: present shell: /bin/bash update_password: always From f6be4ac52183c5c491ac0720117d61573d6bd4e3 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sun, 9 Apr 2017 21:34:20 -0400 Subject: [PATCH 212/292] Add Vagrant config support Adds a new `vagrant.default.yml` config file which is used for Vagrant related settings in `Vagrantfile.` `vagrant.local.yml` is also supported as a local, untracked config file which takes precedence over the default. --- CHANGELOG.md | 1 + Vagrantfile | 119 ++++++++++++++--------------------------- lib/trellis/vagrant.rb | 64 ++++++++++++++++++++++ vagrant.default.yml | 18 +++++++ 4 files changed, 124 insertions(+), 78 deletions(-) create mode 100644 lib/trellis/vagrant.rb create mode 100644 vagrant.default.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 59569f6a00..2345db5f2a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,6 @@ ### HEAD * Ansible 2.3 compatibility ([#813](https://github.com/roots/trellis/pull/813)) +* Add Vagrant config ([#828](https://github.com/roots/trellis/pull/828)) * Remove potentially dangerous `db_import` option ([#825](https://github.com/roots/trellis/pull/825)) ### 1.0.0-rc.1: April 7th, 2017 diff --git a/Vagrantfile b/Vagrantfile index 096085f240..c7bbbe8ffd 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -1,43 +1,28 @@ # -*- mode: ruby -*- # vi: set ft=ruby : -require 'yaml' - -ip = '192.168.50.5' # pick any local IP -cpus = 1 -memory = 1024 # in MB - ANSIBLE_PATH = __dir__ # absolute path to Ansible directory on host machine ANSIBLE_PATH_ON_VM = '/home/vagrant/trellis' # absolute path to Ansible directory on virtual machine -# Set Ansible paths relative to Ansible directory -ENV['ANSIBLE_CONFIG'] = ANSIBLE_PATH -ENV['ANSIBLE_CALLBACK_PLUGINS'] = "~/.ansible/plugins/callback_plugins/:/usr/share/ansible_plugins/callback_plugins:#{File.join(ANSIBLE_PATH, 'lib/trellis/plugins/callback')}" -ENV['ANSIBLE_FILTER_PLUGINS'] = "~/.ansible/plugins/filter_plugins/:/usr/share/ansible_plugins/filter_plugins:#{File.join(ANSIBLE_PATH, 'lib/trellis/plugins/filter')}" -ENV['ANSIBLE_LIBRARY'] = "/usr/share/ansible:#{File.join(ANSIBLE_PATH, 'lib/trellis/modules')}" -ENV['ANSIBLE_ROLES_PATH'] = File.join(ANSIBLE_PATH, 'vendor', 'roles') -ENV['ANSIBLE_VARS_PLUGINS'] = "~/.ansible/plugins/vars_plugins/:/usr/share/ansible_plugins/vars_plugins:#{File.join(ANSIBLE_PATH, 'lib/trellis/plugins/vars')}" +require File.join(ANSIBLE_PATH, 'lib', 'trellis', 'vagrant') +require 'yaml' -config_file = File.join(ANSIBLE_PATH, 'group_vars', 'development', 'wordpress_sites.yml') +vconfig = YAML.load_file("#{ANSIBLE_PATH}/vagrant.default.yml") -def fail_with_message(msg) - fail Vagrant::Errors::VagrantError.new, msg +if File.exist?("#{ANSIBLE_PATH}/vagrant.local.yml") + local_config = YAML.load_file("#{ANSIBLE_PATH}/vagrant.local.yml") + vconfig.merge!(local_config) if local_config end -if File.exists?(config_file) - wordpress_sites = YAML.load_file(config_file)['wordpress_sites'] - fail_with_message "No sites found in #{config_file}." if wordpress_sites.to_h.empty? -else - fail_with_message "#{config_file} was not found. Please set `ANSIBLE_PATH` in your Vagrantfile." -end +wordpress_sites = load_wordpress_sites +site_hosts = hosts(wordpress_sites) Vagrant.require_version '>= 1.8.5' Vagrant.configure('2') do |config| - config.vm.box = 'bento/ubuntu-16.04' - config.vm.box_version = '2.2.9' + config.vm.box = vconfig.fetch('vagrant_box') + config.vm.box_version = vconfig.fetch('vagrant_box_version') config.ssh.forward_agent = true - config.vm.post_up_message = post_up_message # Fix for: "stdin: is not a tty" @@ -45,29 +30,21 @@ Vagrant.configure('2') do |config| config.ssh.shell = %{bash -c 'BASH_ENV=/etc/profile exec bash'} # Required for NFS to work - config.vm.network :private_network, ip: ip, hostsupdater: 'skip' - - site_hosts = wordpress_sites.flat_map { |(_name, site)| site['site_hosts'] } - - site_hosts.each do |host| - if !host.is_a?(Hash) or !host.has_key?('canonical') - fail_with_message File.read(File.join(ANSIBLE_PATH, 'roles/common/templates/site_hosts.j2')).sub!('{{ env }}', 'development').gsub!(/com$/, 'dev') - end - end + config.vm.network :private_network, ip: vconfig.fetch('vagrant_ip'), hostsupdater: 'skip' main_hostname, *hostnames = site_hosts.map { |host| host['canonical'] } config.vm.hostname = main_hostname - redirects = site_hosts.flat_map { |host| host['redirects'] }.compact - if Vagrant.has_plugin?('vagrant-hostmanager') && !multisite_subdomains?(wordpress_sites) + redirects = site_hosts.flat_map { |host| host['redirects'] }.compact + config.hostmanager.enabled = true config.hostmanager.manage_host = true config.hostmanager.aliases = hostnames + redirects elsif Vagrant.has_plugin?('landrush') && multisite_subdomains?(wordpress_sites) config.landrush.enabled = true config.landrush.tld = config.vm.hostname - hostnames.each { |host| config.landrush.host host, ip } + hostnames.each { |host| config.landrush.host host, vconfig.fetch('vagrant_ip') } else fail_with_message "vagrant-hostmanager missing, please install the plugin with this command:\nvagrant plugin install vagrant-hostmanager\n\nOr install landrush for multisite subdomains:\nvagrant plugin install landrush" end @@ -78,6 +55,7 @@ Vagrant.configure('2') do |config| wordpress_sites.each_pair do |name, site| config.vm.synced_folder local_site_path(site), remote_site_path(name, site), owner: 'vagrant', group: 'www-data', mount_options: ['dmode=776', 'fmode=775'] end + config.vm.synced_folder ANSIBLE_PATH, ANSIBLE_PATH_ON_VM, mount_options: ['dmode=755', 'fmode=644'] config.vm.synced_folder File.join(ANSIBLE_PATH, 'bin'), bin_path, mount_options: ['dmode=755', 'fmode=755'] else @@ -88,25 +66,39 @@ Vagrant.configure('2') do |config| config.vm.synced_folder local_site_path(site), nfs_path(name), type: 'nfs' config.bindfs.bind_folder nfs_path(name), remote_site_path(name, site), u: 'vagrant', g: 'www-data', o: 'nonempty' end + config.vm.synced_folder ANSIBLE_PATH, '/ansible-nfs', type: 'nfs' config.bindfs.bind_folder '/ansible-nfs', ANSIBLE_PATH_ON_VM, o: 'nonempty', p: '0644,a+D' config.bindfs.bind_folder bin_path, bin_path, perms: '0755' end end + vconfig.fetch('vagrant_synced_folders', []).each do |folder| + options = { + type: folder.fetch('type', 'nfs'), + create: folder.fetch('create', false), + mount_options: folder.fetch('mount_options', []) + } + + config.vm.synced_folder folder['local_path'], folder['destination'], options + + if folder.fetch('bindfs', true) + config.bindfs.bind_folder folder['local_path'], folder['destination'], options + end + end + provisioner = Vagrant::Util::Platform.windows? ? :ansible_local : :ansible provisioning_path = Vagrant::Util::Platform.windows? ? ANSIBLE_PATH_ON_VM : ANSIBLE_PATH + config.vm.provision provisioner do |ansible| if Vagrant::Util::Platform.windows? ansible.install_mode = 'pip' ansible.provisioning_path = provisioning_path - ansible.version = '2.2.0' + ansible.version = vconfig.fetch('vagrant_ansible_version') end ansible.playbook = File.join(provisioning_path, 'dev.yml') - unless ENV['SKIP_GALAXY'] - ansible.galaxy_role_file = File.join(provisioning_path, 'requirements.yml') - end + ansible.galaxy_role_file = File.join(provisioning_path, 'requirements.yml') unless vconfig.fetch('vagrant_skip_galaxy') || ENV['SKIP_GALAXY'] ansible.galaxy_roles_path = File.join(provisioning_path, 'vendor/roles') ansible.groups = { @@ -114,11 +106,9 @@ Vagrant.configure('2') do |config| 'development' => ['default'] } - if tags = ENV['ANSIBLE_TAGS'] - ansible.tags = tags - end + ansible.tags = ENV['ANSIBLE_TAGS'] + ansible.extra_vars = { 'vagrant_version' => Vagrant::VERSION } - ansible.extra_vars = {'vagrant_version' => Vagrant::VERSION} if vars = ENV['ANSIBLE_VARS'] extra_vars = Hash[vars.split(',').map { |pair| pair.split('=') }] ansible.extra_vars.merge(extra_vars) @@ -128,8 +118,8 @@ Vagrant.configure('2') do |config| # Virtualbox settings config.vm.provider 'virtualbox' do |vb| vb.name = config.vm.hostname - vb.customize ['modifyvm', :id, '--cpus', cpus] - vb.customize ['modifyvm', :id, '--memory', memory] + vb.customize ['modifyvm', :id, '--cpus', vconfig.fetch('vagrant_cpus')] + vb.customize ['modifyvm', :id, '--memory', vconfig.fetch('vagrant_memory')] # Fix for slow external network connections vb.customize ['modifyvm', :id, '--natdnshostresolver1', 'on'] @@ -140,43 +130,16 @@ Vagrant.configure('2') do |config| ['vmware_fusion', 'vmware_workstation'].each do |provider| config.vm.provider provider do |vmw, override| vmw.name = config.vm.hostname - vmw.vmx['numvcpus'] = cpus - vmw.vmx['memsize'] = memory + vmw.vmx['numvcpus'] = vconfig.fetch('vagrant_cpus') + vmw.vmx['memsize'] = vconfig.fetch('vagrant_memory') end end # Parallels settings config.vm.provider 'parallels' do |prl, override| prl.name = config.vm.hostname - prl.cpus = cpus + prl.cpus = vconfig.fetch('vagrant_cpus') + prl.memory = vconfig.fetch('vagrant_memory') prl.update_guest_tools = true - prl.memory = memory end - -end - -def local_site_path(site) - File.expand_path(site['local_path'], ANSIBLE_PATH) -end - -def multisite_subdomains?(wordpress_sites) - wordpress_sites.any? { |(_name, site)| site['multisite'].fetch('enabled', false) && site['multisite'].fetch('subdomains', false) } -end - -def nfs_path(site_name) - "/vagrant-nfs-#{site_name}" -end - -def post_up_message - msg = 'Your Trellis Vagrant box is ready to use!' - msg << "\n* Composer and WP-CLI commands need to be run on the virtual machine." - msg << "\n* You can SSH into the machine with `vagrant ssh`." - msg << "\n* Then navigate to your WordPress sites at `/srv/www`" - msg << "\n or to your Trellis files at `#{ANSIBLE_PATH_ON_VM}`." - - msg -end - -def remote_site_path(site_name, site) - "/srv/www/#{site_name}/#{site['current_path'] || 'current'}" end diff --git a/lib/trellis/vagrant.rb b/lib/trellis/vagrant.rb new file mode 100644 index 0000000000..11e1d82ae9 --- /dev/null +++ b/lib/trellis/vagrant.rb @@ -0,0 +1,64 @@ +# Set Ansible paths relative to Ansible directory +ENV['ANSIBLE_CONFIG'] = ANSIBLE_PATH +ENV['ANSIBLE_CALLBACK_PLUGINS'] = "~/.ansible/plugins/callback_plugins/:/usr/share/ansible_plugins/callback_plugins:#{File.join(ANSIBLE_PATH, 'lib/trellis/plugins/callback')}" +ENV['ANSIBLE_FILTER_PLUGINS'] = "~/.ansible/plugins/filter_plugins/:/usr/share/ansible_plugins/filter_plugins:#{File.join(ANSIBLE_PATH, 'lib/trellis/plugins/filter')}" +ENV['ANSIBLE_LIBRARY'] = "/usr/share/ansible:#{File.join(ANSIBLE_PATH, 'lib/trellis/modules')}" +ENV['ANSIBLE_ROLES_PATH'] = File.join(ANSIBLE_PATH, 'vendor', 'roles') +ENV['ANSIBLE_VARS_PLUGINS'] = "~/.ansible/plugins/vars_plugins/:/usr/share/ansible_plugins/vars_plugins:#{File.join(ANSIBLE_PATH, 'lib/trellis/plugins/vars')}" + +def fail_with_message(msg) + fail Vagrant::Errors::VagrantError.new, msg +end + +def load_wordpress_sites + config_file = File.join(ANSIBLE_PATH, 'group_vars', 'development', 'wordpress_sites.yml') + + if File.exists?(config_file) + wordpress_sites = YAML.load_file(config_file)['wordpress_sites'] + fail_with_message "No sites found in #{config_file}." if wordpress_sites.to_h.empty? + else + fail_with_message "#{config_file} was not found. Please set `ANSIBLE_PATH` in your Vagrantfile." + end + + wordpress_sites +end + +def local_site_path(site) + File.expand_path(site['local_path'], ANSIBLE_PATH) +end + +def multisite_subdomains?(wordpress_sites) + wordpress_sites.any? do |(_name, site)| + site['multisite'].fetch('enabled', false) && site['multisite'].fetch('subdomains', false) + end +end + +def nfs_path(site_name) + "/vagrant-nfs-#{site_name}" +end + +def post_up_message + msg = 'Your Trellis Vagrant box is ready to use!' + msg << "\n* Composer and WP-CLI commands need to be run on the virtual machine." + msg << "\n* You can SSH into the machine with `vagrant ssh`." + msg << "\n* Then navigate to your WordPress sites at `/srv/www`" + msg << "\n or to your Trellis files at `#{ANSIBLE_PATH_ON_VM}`." + + msg +end + +def remote_site_path(site_name, site) + "/srv/www/#{site_name}/#{site['current_path'] || 'current'}" +end + +def hosts(sites) + site_hosts = sites.flat_map { |(_name, site)| site['site_hosts'] } + + site_hosts.each do |host| + if !host.is_a?(Hash) || !host.has_key?('canonical') + fail_with_message File.read(File.join(ANSIBLE_PATH, 'roles/common/templates/site_hosts.j2')).sub!('{{ env }}', 'development').gsub!(/com$/, 'dev') + end + end + + site_hosts +end diff --git a/vagrant.default.yml b/vagrant.default.yml new file mode 100644 index 0000000000..32b3185949 --- /dev/null +++ b/vagrant.default.yml @@ -0,0 +1,18 @@ +--- +vagrant_ip: '192.168.50.5' +vagrant_cpus: 1 +vagrant_memory: 1024 # in MB +vagrant_box: 'bento/ubuntu-16.04' +vagrant_box_version: '2.2.9' +vagrant_ansible_version: '2.2.2' +vagrant_skip_galaxy: false + +# Array of synced folders: +# - local_path: . +# destination: /path/on/vm +# create: false +# type: nfs +# bindfs: true +# mount_options: [] +# See https://www.vagrantup.com/docs/synced-folders/basic_usage.html#mount_options +vagrant_synced_folders: [] From db5c3dacb82944626933a8e940a3171eaee61e1a Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 22 Apr 2017 18:24:41 -0400 Subject: [PATCH 213/292] Fixes --- CHANGELOG.md | 2 +- Vagrantfile | 6 ++++-- lib/trellis/vagrant.rb | 28 ++++++++++++++-------------- vagrant.default.yml | 3 ++- 4 files changed, 21 insertions(+), 18 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2345db5f2a..6a2a80b53d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ ### HEAD -* Ansible 2.3 compatibility ([#813](https://github.com/roots/trellis/pull/813)) * Add Vagrant config ([#828](https://github.com/roots/trellis/pull/828)) +* Ansible 2.3 compatibility ([#813](https://github.com/roots/trellis/pull/813)) * Remove potentially dangerous `db_import` option ([#825](https://github.com/roots/trellis/pull/825)) ### 1.0.0-rc.1: April 7th, 2017 diff --git a/Vagrantfile b/Vagrantfile index c7bbbe8ffd..5d4cb09fe0 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -80,10 +80,12 @@ Vagrant.configure('2') do |config| mount_options: folder.fetch('mount_options', []) } - config.vm.synced_folder folder['local_path'], folder['destination'], options + destination_folder = folder.fetch('bindfs', true) ? nfs_path(folder['destination']) : folder['destination'] + + config.vm.synced_folder folder['local_path'], destination_folder, options if folder.fetch('bindfs', true) - config.bindfs.bind_folder folder['local_path'], folder['destination'], options + config.bindfs.bind_folder destination_folder, folder['destination'], folder.fetch('bindfs_options', {}) end end diff --git a/lib/trellis/vagrant.rb b/lib/trellis/vagrant.rb index 11e1d82ae9..abd4348b90 100644 --- a/lib/trellis/vagrant.rb +++ b/lib/trellis/vagrant.rb @@ -10,6 +10,18 @@ def fail_with_message(msg) fail Vagrant::Errors::VagrantError.new, msg end +def hosts(sites) + site_hosts = sites.flat_map { |(_name, site)| site['site_hosts'] } + + site_hosts.each do |host| + if !host.is_a?(Hash) || !host.has_key?('canonical') + fail_with_message File.read(File.join(ANSIBLE_PATH, 'roles/common/templates/site_hosts.j2')).sub!('{{ env }}', 'development').gsub!(/com$/, 'dev') + end + end + + site_hosts +end + def load_wordpress_sites config_file = File.join(ANSIBLE_PATH, 'group_vars', 'development', 'wordpress_sites.yml') @@ -33,8 +45,8 @@ def multisite_subdomains?(wordpress_sites) end end -def nfs_path(site_name) - "/vagrant-nfs-#{site_name}" +def nfs_path(path) + "/vagrant-nfs-#{File.basename(path)}" end def post_up_message @@ -50,15 +62,3 @@ def post_up_message def remote_site_path(site_name, site) "/srv/www/#{site_name}/#{site['current_path'] || 'current'}" end - -def hosts(sites) - site_hosts = sites.flat_map { |(_name, site)| site['site_hosts'] } - - site_hosts.each do |host| - if !host.is_a?(Hash) || !host.has_key?('canonical') - fail_with_message File.read(File.join(ANSIBLE_PATH, 'roles/common/templates/site_hosts.j2')).sub!('{{ env }}', 'development').gsub!(/com$/, 'dev') - end - end - - site_hosts -end diff --git a/vagrant.default.yml b/vagrant.default.yml index 32b3185949..d3cfc797eb 100644 --- a/vagrant.default.yml +++ b/vagrant.default.yml @@ -4,7 +4,7 @@ vagrant_cpus: 1 vagrant_memory: 1024 # in MB vagrant_box: 'bento/ubuntu-16.04' vagrant_box_version: '2.2.9' -vagrant_ansible_version: '2.2.2' +vagrant_ansible_version: '2.3.0' vagrant_skip_galaxy: false # Array of synced folders: @@ -14,5 +14,6 @@ vagrant_skip_galaxy: false # type: nfs # bindfs: true # mount_options: [] +# bindfs_options: {} # See https://www.vagrantup.com/docs/synced-folders/basic_usage.html#mount_options vagrant_synced_folders: [] From b0563ed0492757db4a972b22d20e09f2f7ac2ac4 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 14 Apr 2017 15:30:13 -0400 Subject: [PATCH 214/292] Auto-install Vagrant plugins --- Vagrantfile | 2 ++ lib/trellis/vagrant.rb | 12 ++++++++++++ vagrant.default.yml | 5 +++++ 3 files changed, 19 insertions(+) diff --git a/Vagrantfile b/Vagrantfile index 5d4cb09fe0..9e8fc6c7ed 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -14,6 +14,8 @@ if File.exist?("#{ANSIBLE_PATH}/vagrant.local.yml") vconfig.merge!(local_config) if local_config end +ensure_plugins(vconfig.fetch('vagrant_plugins')) if vconfig.fetch('vagrant_install_plugins') + wordpress_sites = load_wordpress_sites site_hosts = hosts(wordpress_sites) diff --git a/lib/trellis/vagrant.rb b/lib/trellis/vagrant.rb index abd4348b90..f4e0ec5b9b 100644 --- a/lib/trellis/vagrant.rb +++ b/lib/trellis/vagrant.rb @@ -6,6 +6,18 @@ ENV['ANSIBLE_ROLES_PATH'] = File.join(ANSIBLE_PATH, 'vendor', 'roles') ENV['ANSIBLE_VARS_PLUGINS'] = "~/.ansible/plugins/vars_plugins/:/usr/share/ansible_plugins/vars_plugins:#{File.join(ANSIBLE_PATH, 'lib/trellis/plugins/vars')}" +def ensure_plugins(plugins) + logger = Vagrant::UI::Colored.new + + plugins.each do |plugin| + manager = Vagrant::Plugin::Manager.instance + next if manager.installed_plugins.has_key?(plugin) + + logger.warn("Installing plugin #{plugin}") + manager.install_plugin(plugin) + end +end + def fail_with_message(msg) fail Vagrant::Errors::VagrantError.new, msg end diff --git a/vagrant.default.yml b/vagrant.default.yml index d3cfc797eb..d0bd0ccebe 100644 --- a/vagrant.default.yml +++ b/vagrant.default.yml @@ -7,6 +7,11 @@ vagrant_box_version: '2.2.9' vagrant_ansible_version: '2.3.0' vagrant_skip_galaxy: false +vagrant_install_plugins: true +vagrant_plugins: + - vagrant-bindfs + - vagrant-hostmanager + # Array of synced folders: # - local_path: . # destination: /path/on/vm From 5f3bd862039cdb4605d13fb7f9f777fdb77b8c64 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 14 Apr 2017 16:05:16 -0400 Subject: [PATCH 215/292] Remove plugins from README --- CHANGELOG.md | 1 + README.md | 2 -- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6a2a80b53d..02186bbd08 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Auto-install Vagrant plugins ([#829](https://github.com/roots/trellis/pull/829)) * Add Vagrant config ([#828](https://github.com/roots/trellis/pull/828)) * Ansible 2.3 compatibility ([#813](https://github.com/roots/trellis/pull/813)) * Remove potentially dangerous `db_import` option ([#825](https://github.com/roots/trellis/pull/825)) diff --git a/README.md b/README.md index feefe932eb..ede7f1335b 100644 --- a/README.md +++ b/README.md @@ -34,8 +34,6 @@ Make sure all dependencies have been installed before moving on: * [Ansible](http://docs.ansible.com/ansible/intro_installation.html#latest-releases-via-pip) >= 2.2 * [Virtualbox](https://www.virtualbox.org/wiki/Downloads) >= 4.3.10 * [Vagrant](https://www.vagrantup.com/downloads.html) >= 1.8.5 -* [vagrant-bindfs](https://github.com/gael-ian/vagrant-bindfs#installation) >= 0.3.1 (Windows users may skip this) -* [vagrant-hostmanager](https://github.com/smdahlen/vagrant-hostmanager#installation) ## Installation From 95203c99c757444d7eade7e53cb074763f604b39 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 22 Apr 2017 23:25:40 -0400 Subject: [PATCH 216/292] Add re-run vagrant up message --- lib/trellis/vagrant.rb | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/lib/trellis/vagrant.rb b/lib/trellis/vagrant.rb index f4e0ec5b9b..7a6b55023a 100644 --- a/lib/trellis/vagrant.rb +++ b/lib/trellis/vagrant.rb @@ -8,13 +8,20 @@ def ensure_plugins(plugins) logger = Vagrant::UI::Colored.new + installed = false plugins.each do |plugin| manager = Vagrant::Plugin::Manager.instance next if manager.installed_plugins.has_key?(plugin) logger.warn("Installing plugin #{plugin}") - manager.install_plugin(plugin) + manager.install_plugin(plugin, sources: Vagrant::Bundler::DEFAULT_GEM_SOURCES) + installed = true + end + + if installed + logger.warn('`vagrant up` must be re-run now that plugins are installed') + exit end end From 4bf820acfed1740303b70017ad408b47085ebc38 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sun, 23 Apr 2017 16:50:05 -0400 Subject: [PATCH 217/292] Add options for sources and version --- lib/trellis/vagrant.rb | 14 +++++++++++--- vagrant.default.yml | 4 ++-- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/lib/trellis/vagrant.rb b/lib/trellis/vagrant.rb index 7a6b55023a..8f618c55bc 100644 --- a/lib/trellis/vagrant.rb +++ b/lib/trellis/vagrant.rb @@ -11,11 +11,19 @@ def ensure_plugins(plugins) installed = false plugins.each do |plugin| + plugin_name = plugin['name'] manager = Vagrant::Plugin::Manager.instance - next if manager.installed_plugins.has_key?(plugin) - logger.warn("Installing plugin #{plugin}") - manager.install_plugin(plugin, sources: Vagrant::Bundler::DEFAULT_GEM_SOURCES) + next if manager.installed_plugins.has_key?(plugin_name) + + logger.warn("Installing plugin #{plugin_name}") + + manager.install_plugin( + plugin_name, + sources: plugin.fetch('source', %w(https://rubygems.org/ https://gems.hashicorp.com/)), + version: plugin['version'] + ) + installed = true end diff --git a/vagrant.default.yml b/vagrant.default.yml index d0bd0ccebe..4c5f5e8f3c 100644 --- a/vagrant.default.yml +++ b/vagrant.default.yml @@ -9,8 +9,8 @@ vagrant_skip_galaxy: false vagrant_install_plugins: true vagrant_plugins: - - vagrant-bindfs - - vagrant-hostmanager + - name: vagrant-bindfs + - name: vagrant-hostmanager # Array of synced folders: # - local_path: . From 45f8936fa3218b74d674f9bf9cbfcd921e7fdeeb Mon Sep 17 00:00:00 2001 From: alkymst Date: Mon, 1 May 2017 17:52:02 -0600 Subject: [PATCH 218/292] skip plugins with WP-CLI, to avoid crappy plugins breaking deploys --- roles/deploy/hooks/finalize-after.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/deploy/hooks/finalize-after.yml b/roles/deploy/hooks/finalize-after.yml index 47712dcebc..a89283ac7c 100644 --- a/roles/deploy/hooks/finalize-after.yml +++ b/roles/deploy/hooks/finalize-after.yml @@ -12,7 +12,7 @@ when: project.update_db_on_deploy | default(update_db_on_deploy) - name: Get WP theme template root - command: wp option get template_root + command: wp option get template_root --skip-plugins args: chdir: "{{ deploy_helper.current_path }}" register: wp_template_root From f234829cc2bed76425bca1bd7aafc1712ca32661 Mon Sep 17 00:00:00 2001 From: QWp6t Date: Thu, 8 Jun 2017 20:59:51 -0700 Subject: [PATCH 219/292] Add variable to enable/disable system cron task for multisite --- group_vars/development/wordpress_sites.yml | 1 + group_vars/production/wordpress_sites.yml | 1 + group_vars/staging/wordpress_sites.yml | 1 + roles/wordpress-setup/tasks/main.yml | 2 +- 4 files changed, 4 insertions(+), 1 deletion(-) diff --git a/group_vars/development/wordpress_sites.yml b/group_vars/development/wordpress_sites.yml index 5153ccc612..4b368b8297 100644 --- a/group_vars/development/wordpress_sites.yml +++ b/group_vars/development/wordpress_sites.yml @@ -12,6 +12,7 @@ wordpress_sites: admin_email: admin@example.dev multisite: enabled: false + cron: false ssl: enabled: false provider: self-signed diff --git a/group_vars/production/wordpress_sites.yml b/group_vars/production/wordpress_sites.yml index e8a875d1ca..dacb3f8843 100644 --- a/group_vars/production/wordpress_sites.yml +++ b/group_vars/production/wordpress_sites.yml @@ -14,6 +14,7 @@ wordpress_sites: branch: master multisite: enabled: false + cron: false ssl: enabled: false provider: letsencrypt diff --git a/group_vars/staging/wordpress_sites.yml b/group_vars/staging/wordpress_sites.yml index 054770ea7a..7b80c7c9b0 100644 --- a/group_vars/staging/wordpress_sites.yml +++ b/group_vars/staging/wordpress_sites.yml @@ -14,6 +14,7 @@ wordpress_sites: branch: master multisite: enabled: false + cron: false ssl: enabled: false provider: letsencrypt diff --git a/roles/wordpress-setup/tasks/main.yml b/roles/wordpress-setup/tasks/main.yml index b7f578c875..9ec82193ae 100644 --- a/roles/wordpress-setup/tasks/main.yml +++ b/roles/wordpress-setup/tasks/main.yml @@ -59,4 +59,4 @@ job: "cd {{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }} && wp site list --field=url | xargs -n1 -I \\% wp --url=\\% cron event run --due-now > /dev/null 2>&1" cron_file: "wordpress-multisite-{{ item.key | replace('.', '_') }}" with_dict: "{{ wordpress_sites }}" - when: site_env.disable_wp_cron and item.value.multisite.enabled | default(false) + when: site_env.disable_wp_cron and item.value.multisite.enabled and item.value.multisite.cron | default(false) From e5fbe4fd9c28ca76098629a1acbc75aa057378c7 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Mon, 12 Jun 2017 14:08:22 -0600 Subject: [PATCH 220/292] Update wp-cli to 1.2.1 (#838) --- CHANGELOG.md | 1 + roles/wp-cli/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 02186bbd08..56e53b0201 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Update WP-CLI to 1.2.1 ([#838](https://github.com/roots/trellis/pull/838)) * Auto-install Vagrant plugins ([#829](https://github.com/roots/trellis/pull/829)) * Add Vagrant config ([#828](https://github.com/roots/trellis/pull/828)) * Ansible 2.3 compatibility ([#813](https://github.com/roots/trellis/pull/813)) diff --git a/roles/wp-cli/defaults/main.yml b/roles/wp-cli/defaults/main.yml index 8ed1442c7e..31a23f2324 100644 --- a/roles/wp-cli/defaults/main.yml +++ b/roles/wp-cli/defaults/main.yml @@ -1,4 +1,4 @@ -wp_cli_version: 1.1.0 +wp_cli_version: 1.2.1 wp_cli_bin_path: /usr/bin/wp wp_cli_phar_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar" wp_cli_completion_url: "https://raw.githubusercontent.com/wp-cli/wp-cli/v{{ wp_cli_version }}/utils/wp-completion.bash" From 049d2695f4d01587a1714b8c078da03909ae813e Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Wed, 14 Jun 2017 22:54:36 -0600 Subject: [PATCH 221/292] Update WP theme paths only when template_root in releases_path (#840) The update is needed only to fix the release subdirectory, so it is safest to condition the update upon the releases_path being in the template_root. This avoids overwriting less common template_root values such as subdirectories of plugins, etc. --- roles/deploy/hooks/finalize-after.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/deploy/hooks/finalize-after.yml b/roles/deploy/hooks/finalize-after.yml index a89283ac7c..65b510e0b9 100644 --- a/roles/deploy/hooks/finalize-after.yml +++ b/roles/deploy/hooks/finalize-after.yml @@ -23,7 +23,7 @@ command: wp option set {{ item }} {{ deploy_helper.new_release_path }}/web/wp/wp-content/themes args: chdir: "{{ deploy_helper.current_path }}" - when: wp_template_root.stdout != '' and wp_template_root.stdout != '/themes' + when: deploy_helper.releases_path in wp_template_root.stdout with_items: - stylesheet_root - template_root From 928841675fadadbd462df71b0918552e14e25c20 Mon Sep 17 00:00:00 2001 From: QWp6t Date: Sun, 18 Jun 2017 09:17:07 -0700 Subject: [PATCH 222/292] Option to install WP-CLI packages (#837) --- CHANGELOG.md | 1 + roles/wp-cli/defaults/main.yml | 1 + roles/wp-cli/tasks/main.yml | 9 +++++++++ 3 files changed, 11 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 56e53b0201..6aec9aec7b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Option to install WP-CLI packages ([#837](https://github.com/roots/trellis/pull/837)) * Update WP-CLI to 1.2.1 ([#838](https://github.com/roots/trellis/pull/838)) * Auto-install Vagrant plugins ([#829](https://github.com/roots/trellis/pull/829)) * Add Vagrant config ([#828](https://github.com/roots/trellis/pull/828)) diff --git a/roles/wp-cli/defaults/main.yml b/roles/wp-cli/defaults/main.yml index 31a23f2324..bc19f77a82 100644 --- a/roles/wp-cli/defaults/main.yml +++ b/roles/wp-cli/defaults/main.yml @@ -3,3 +3,4 @@ wp_cli_bin_path: /usr/bin/wp wp_cli_phar_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar" wp_cli_completion_url: "https://raw.githubusercontent.com/wp-cli/wp-cli/v{{ wp_cli_version }}/utils/wp-completion.bash" wp_cli_completion_path: /etc/bash_completion.d/wp-completion.bash +wp_cli_packages: [] diff --git a/roles/wp-cli/tasks/main.yml b/roles/wp-cli/tasks/main.yml index 6f73c31e55..c3f6770953 100644 --- a/roles/wp-cli/tasks/main.yml +++ b/roles/wp-cli/tasks/main.yml @@ -23,3 +23,12 @@ warn: false register: wp_cli_completion changed_when: wp_cli_completion.stdout == 'wp-completion-' + wp_cli_version + '.bash' + +- name: Install WP-CLI packages + command: wp package install {{ item }} + become_user: "{{ web_user }}" + register: wp_cli_packages_installed + changed_when: + - "'Nothing to install or update' not in wp_cli_packages_installed.stdout" + - "'Package operations: 0 installs, 0 updates, 0 removals' not in wp_cli_packages_installed.stdout" + with_items: "{{ wp_cli_packages }}" From 6f6c908bf245ba6b64eadab0c787e130acdf59b9 Mon Sep 17 00:00:00 2001 From: Patrick Artounian Date: Fri, 16 Jun 2017 21:54:37 -0700 Subject: [PATCH 223/292] Remove output about running WP-CLI and Composer --- lib/trellis/vagrant.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/trellis/vagrant.rb b/lib/trellis/vagrant.rb index 8f618c55bc..d25b44fe59 100644 --- a/lib/trellis/vagrant.rb +++ b/lib/trellis/vagrant.rb @@ -78,7 +78,8 @@ def nfs_path(path) def post_up_message msg = 'Your Trellis Vagrant box is ready to use!' - msg << "\n* Composer and WP-CLI commands need to be run on the virtual machine." + msg << "\n* Composer and WP-CLI commands need to be run on the virtual machine" + msg << "\n for any post-provision modifications." msg << "\n* You can SSH into the machine with `vagrant ssh`." msg << "\n* Then navigate to your WordPress sites at `/srv/www`" msg << "\n or to your Trellis files at `#{ANSIBLE_PATH_ON_VM}`." From 2724fdd8c3dac604f4b9d756f2f662926bf50e00 Mon Sep 17 00:00:00 2001 From: QWp6t Date: Sun, 18 Jun 2017 22:53:34 -0700 Subject: [PATCH 224/292] Check for multisite.cron if multisite.enabled --- roles/wordpress-setup/tasks/main.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/roles/wordpress-setup/tasks/main.yml b/roles/wordpress-setup/tasks/main.yml index 9ec82193ae..6df1a90014 100644 --- a/roles/wordpress-setup/tasks/main.yml +++ b/roles/wordpress-setup/tasks/main.yml @@ -49,7 +49,9 @@ job: "cd {{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }} && wp cron event run --due-now > /dev/null 2>&1" cron_file: "wordpress-{{ item.key | replace('.', '_') }}" with_dict: "{{ wordpress_sites }}" - when: site_env.disable_wp_cron | default(false) + when: + - site_env.disable_wp_cron + - not item.value.multisite.enabled | default(false) or (item.value.multisite.enabled | default(false) and item.value.multisite.cron | default(true)) - name: Setup WP Multisite system cron cron: @@ -59,4 +61,6 @@ job: "cd {{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }} && wp site list --field=url | xargs -n1 -I \\% wp --url=\\% cron event run --due-now > /dev/null 2>&1" cron_file: "wordpress-multisite-{{ item.key | replace('.', '_') }}" with_dict: "{{ wordpress_sites }}" - when: site_env.disable_wp_cron and item.value.multisite.enabled and item.value.multisite.cron | default(false) + when: + - site_env.disable_wp_cron + - item.value.multisite.enabled | default(false) and item.value.multisite.cron | default(true) From 2ecd64cc0fc10880e4b41aa7574803a56229fe3e Mon Sep 17 00:00:00 2001 From: Anders Fajerson Date: Mon, 19 Jun 2017 16:27:40 +0200 Subject: [PATCH 225/292] Add support for SMTP without authentication --- roles/ssmtp/templates/ssmtp.conf.j2 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/ssmtp/templates/ssmtp.conf.j2 b/roles/ssmtp/templates/ssmtp.conf.j2 index e7a5251aaa..14b5bd28cb 100644 --- a/roles/ssmtp/templates/ssmtp.conf.j2 +++ b/roles/ssmtp/templates/ssmtp.conf.j2 @@ -7,5 +7,9 @@ UseTLS={{ ssmtp_tls }} UseSTARTTLS={{ ssmtp_start_tls }} hostname={{ mail_hostname }} mailhub={{ mail_smtp_server }} +{% if mail_user is defined %} AuthUser={{ mail_user }} +{% endif %} +{% if mail_password is defined %} AuthPass={{ mail_password }} +{% endif %} From c728d4ddd47eb45667a5e8b447608eb82631de2d Mon Sep 17 00:00:00 2001 From: QWp6t Date: Tue, 20 Jun 2017 00:09:45 -0700 Subject: [PATCH 226/292] Add cron_enabled helper --- group_vars/all/helpers.yml | 1 + roles/wordpress-setup/tasks/main.yml | 8 ++------ 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/group_vars/all/helpers.yml b/group_vars/all/helpers.yml index e8dd9325aa..156f521cd8 100644 --- a/group_vars/all/helpers.yml +++ b/group_vars/all/helpers.yml @@ -14,3 +14,4 @@ site_hosts_canonical: "{{ item.value.site_hosts | map(attribute='canonical') | l site_hosts_redirects: "{{ item.value.site_hosts | selectattr('redirects', 'defined') | sum(attribute='redirects', start=[]) | list }}" site_hosts: "{{ site_hosts_canonical | union(site_hosts_redirects) }}" ssl_enabled: "{{ item.value.ssl is defined and item.value.ssl.enabled | default(false) }}" +cron_enabled: "{{ site_env.disable_wp_cron and (not item.value.multisite.enabled | default(false) or (item.value.multisite.enabled | default(false) and item.value.multisite.cron | default(true))) }}" diff --git a/roles/wordpress-setup/tasks/main.yml b/roles/wordpress-setup/tasks/main.yml index 6df1a90014..9ce8258f69 100644 --- a/roles/wordpress-setup/tasks/main.yml +++ b/roles/wordpress-setup/tasks/main.yml @@ -49,9 +49,7 @@ job: "cd {{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }} && wp cron event run --due-now > /dev/null 2>&1" cron_file: "wordpress-{{ item.key | replace('.', '_') }}" with_dict: "{{ wordpress_sites }}" - when: - - site_env.disable_wp_cron - - not item.value.multisite.enabled | default(false) or (item.value.multisite.enabled | default(false) and item.value.multisite.cron | default(true)) + when: cron_enabled - name: Setup WP Multisite system cron cron: @@ -61,6 +59,4 @@ job: "cd {{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }} && wp site list --field=url | xargs -n1 -I \\% wp --url=\\% cron event run --due-now > /dev/null 2>&1" cron_file: "wordpress-multisite-{{ item.key | replace('.', '_') }}" with_dict: "{{ wordpress_sites }}" - when: - - site_env.disable_wp_cron - - item.value.multisite.enabled | default(false) and item.value.multisite.cron | default(true) + when: item.value.multisite.enabled and cron_enabled From 624ad4e7722b6c626cab37bb03662e38def99055 Mon Sep 17 00:00:00 2001 From: Mehdi Lahlou Date: Thu, 22 Jun 2017 17:04:26 +0200 Subject: [PATCH 227/292] Add self signed certificates subdomains (#812) * Add support for all alternate hosts and subdomains in self-signed certificates * Replace server_name expression by new `multisite_subdomains_wildcards` helper variable * Use `nginx_ssl_path` helper variable --- group_vars/all/helpers.yml | 1 + .../tasks/self-signed-certificate.yml | 21 ++++++++++++++----- .../templates/wordpress-site.conf.j2 | 6 +++--- 3 files changed, 20 insertions(+), 8 deletions(-) diff --git a/group_vars/all/helpers.yml b/group_vars/all/helpers.yml index e8dd9325aa..b49bfad03f 100644 --- a/group_vars/all/helpers.yml +++ b/group_vars/all/helpers.yml @@ -13,4 +13,5 @@ site_env: "{{ wordpress_env_defaults | combine(item.value.env | default({}), vau site_hosts_canonical: "{{ item.value.site_hosts | map(attribute='canonical') | list }}" site_hosts_redirects: "{{ item.value.site_hosts | selectattr('redirects', 'defined') | sum(attribute='redirects', start=[]) | list }}" site_hosts: "{{ site_hosts_canonical | union(site_hosts_redirects) }}" +multisite_subdomains_wildcards: "{{ item.value.multisite.subdomains | default(false) | ternary( site_hosts_canonical | map('regex_replace', '^(www\\.)?(.*)$', '*.\\2') | list, [] ) }}" ssl_enabled: "{{ item.value.ssl is defined and item.value.ssl.enabled | default(false) }}" diff --git a/roles/wordpress-setup/tasks/self-signed-certificate.yml b/roles/wordpress-setup/tasks/self-signed-certificate.yml index 5e9cda2d6a..80c6600cb1 100644 --- a/roles/wordpress-setup/tasks/self-signed-certificate.yml +++ b/roles/wordpress-setup/tasks/self-signed-certificate.yml @@ -1,11 +1,22 @@ --- - name: Generate self-signed certificates - shell: > - openssl req -subj "/CN={{ item.value.site_hosts[0].canonical }}" -new - -newkey rsa:2048 -days 3650 -nodes -x509 -sha256 - -keyout {{ item.key }}.key -out {{ item.key }}.cert + shell: "openssl req -new -newkey rsa:2048 \ + -days 3650 -nodes -x509 -sha256 \ + -extensions req_ext -config <( \ +cat <<' EOF'\n +[req]\n +prompt = no\n +distinguished_name = req_dn\n +[req_dn]\n +commonName = {{ item.value.site_hosts[0].canonical }}\n +[req_ext]\n +subjectAltName = {{ site_hosts | union(multisite_subdomains_wildcards) | map('regex_replace', '(.*)', 'DNS:\\1') | join(',') }}\n +EOF\n + ) \ + -keyout {{ item.key | quote }}.key -out {{ item.key | quote }}.cert" args: - chdir: "{{ nginx_path }}/ssl" + executable: "/bin/bash" + chdir: "{{ nginx_ssl_path }}" creates: "{{ item.key }}.*" with_dict: "{{ wordpress_sites }}" when: ssl_enabled and item.value.ssl.provider | default('manual') == 'self-signed' diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index 240b3dc45e..2c2aebb524 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -5,7 +5,7 @@ server { {% block server_id -%} listen {{ ssl_enabled | ternary('443 ssl http2', '80') }}; - server_name {{ site_hosts_canonical | join(' ') }}{% if item.value.multisite.subdomains | default(false) %} *.{{ site_hosts_canonical | map('regex_replace', '^www\.', '') | join(' *.') }}{% endif %}; + server_name {{ site_hosts_canonical | union(multisite_subdomains_wildcards) | join(' ') }}; {% endblock %} {% block logs -%} @@ -45,7 +45,7 @@ server { {% endif -%} {% endblock -%} - + {% block multisite_rewrites -%} {% if item.value.multisite.enabled | default(false) -%} # Multisite rewrites @@ -157,7 +157,7 @@ server { # Redirect to https server { listen 80; - server_name {{ site_hosts | join(' ') }}{% if item.value.multisite.subdomains | default(false) %} *.{{ site_hosts_canonical | map('regex_replace', '^www\.', '') | join(' *.') }}{% endif %}; + server_name {{ site_hosts | union(multisite_subdomains_wildcards) | join(' ') }}; {{ self.acme_challenge() -}} From 456bb83076c30852a8eecccd8d2d82ec8547a189 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Thu, 22 Jun 2017 18:25:28 -0600 Subject: [PATCH 228/292] Reload Nginx with updates to manual cert or key (#843) --- roles/wordpress-setup/tasks/nginx.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/wordpress-setup/tasks/nginx.yml b/roles/wordpress-setup/tasks/nginx.yml index b4f3f43c0e..b55abd569e 100644 --- a/roles/wordpress-setup/tasks/nginx.yml +++ b/roles/wordpress-setup/tasks/nginx.yml @@ -6,6 +6,7 @@ mode: 0640 with_dict: "{{ wordpress_sites }}" when: ssl_enabled and item.value.ssl.cert is defined + notify: reload nginx - name: Copy SSL key copy: @@ -14,6 +15,7 @@ mode: 0600 with_dict: "{{ wordpress_sites }}" when: ssl_enabled and item.value.ssl.key is defined + notify: reload nginx - include: "{{ playbook_dir }}/roles/common/tasks/disable_challenge_sites.yml" From b5ba38d78bb0c81714845cea57e3d998dc07381d Mon Sep 17 00:00:00 2001 From: Ned Zimmerman Date: Sat, 8 Jul 2017 12:38:58 -0300 Subject: [PATCH 229/292] Fix incorrect file path in vault error template. --- roles/common/templates/wordpress_sites.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/common/templates/wordpress_sites.j2 b/roles/common/templates/wordpress_sites.j2 index a0d10c981a..07e4136cb6 100644 --- a/roles/common/templates/wordpress_sites.j2 +++ b/roles/common/templates/wordpress_sites.j2 @@ -5,6 +5,6 @@ Sites without a matching vault entry: * `{{ name }}` {% endfor %} -Update `group_vars/{{ env }}/vault_wordpress_sites.yml` to continue. +Update `group_vars/{{ env }}/vault.yml` to continue. Docs: https://roots.io/trellis/docs/wordpress-sites/#passwordssecrets From 3ca4166b5cc5a45f842a8720192fc7aa434eb1e4 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Thu, 20 Jul 2017 20:25:57 -0600 Subject: [PATCH 230/292] Deploys: --skip-themes when updating WP template_root (#849) Some WP themes may throw errors if loaded in this context, e.g., some PHP classes may not be available with `--skip-plugins`. It is not necessary to load themes when updating WP options for template_root and stylesheet root, so it is safer to `--skip-themes`. --- CHANGELOG.md | 1 + roles/deploy/hooks/finalize-after.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6aec9aec7b..8326f7839e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Deploys: `--skip-themes` when updating WP `template_root` ([#849](https://github.com/roots/trellis/pull/849)) * Option to install WP-CLI packages ([#837](https://github.com/roots/trellis/pull/837)) * Update WP-CLI to 1.2.1 ([#838](https://github.com/roots/trellis/pull/838)) * Auto-install Vagrant plugins ([#829](https://github.com/roots/trellis/pull/829)) diff --git a/roles/deploy/hooks/finalize-after.yml b/roles/deploy/hooks/finalize-after.yml index 65b510e0b9..9201ee6aa6 100644 --- a/roles/deploy/hooks/finalize-after.yml +++ b/roles/deploy/hooks/finalize-after.yml @@ -12,7 +12,7 @@ when: project.update_db_on_deploy | default(update_db_on_deploy) - name: Get WP theme template root - command: wp option get template_root --skip-plugins + command: wp option get template_root --skip-plugins --skip-themes args: chdir: "{{ deploy_helper.current_path }}" register: wp_template_root From d926dbbd0ef498f4223b3f8103aa7d8f9375cd16 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Mon, 24 Jul 2017 20:16:11 -0600 Subject: [PATCH 231/292] Accommodate child themes: Update WP stylesheet_root separately (#850) When a child theme is in Bedrock `web/app/themes` and its parent theme is in different directory (e.g., `web/wp/wp-content/themes`), stylesheet_root must be `/themes` while template_root should be updated with the latest deploy releases_path. Prior to this PR, stylesheet_root was always updated with template_root, causing problems for some child themes. --- CHANGELOG.md | 1 + roles/deploy/hooks/finalize-after.yml | 17 ++++++++++------- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8326f7839e..f5f4cf9057 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Accommodate child themes: Update WP `stylesheet_root` separately ([#850](https://github.com/roots/trellis/pull/850)) * Deploys: `--skip-themes` when updating WP `template_root` ([#849](https://github.com/roots/trellis/pull/849)) * Option to install WP-CLI packages ([#837](https://github.com/roots/trellis/pull/837)) * Update WP-CLI to 1.2.1 ([#838](https://github.com/roots/trellis/pull/838)) diff --git a/roles/deploy/hooks/finalize-after.yml b/roles/deploy/hooks/finalize-after.yml index 9201ee6aa6..a6a2b99e6c 100644 --- a/roles/deploy/hooks/finalize-after.yml +++ b/roles/deploy/hooks/finalize-after.yml @@ -11,22 +11,25 @@ chdir: "{{ deploy_helper.current_path }}" when: project.update_db_on_deploy | default(update_db_on_deploy) - - name: Get WP theme template root - command: wp option get template_root --skip-plugins --skip-themes + - name: Get WP theme template and stylesheet roots + command: wp option get {{ item }} --skip-plugins --skip-themes args: chdir: "{{ deploy_helper.current_path }}" register: wp_template_root changed_when: false failed_when: wp_template_root.stderr != "" + with_items: + - template_root + - stylesheet_root - name: Update WP theme paths - command: wp option set {{ item }} {{ deploy_helper.new_release_path }}/web/wp/wp-content/themes + command: > + wp option set {{ item.item }} + {{ item.stdout | regex_replace(deploy_helper.releases_path + '/[^/]+(.*)', deploy_helper.new_release_path + '\1') }} args: chdir: "{{ deploy_helper.current_path }}" - when: deploy_helper.releases_path in wp_template_root.stdout - with_items: - - stylesheet_root - - template_root + when: deploy_helper.releases_path in item.stdout + with_items: "{{ wp_template_root.results }}" when: wp_installed | success From dc6a58158536681612dc4d833ad5e8257da55d36 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Tue, 25 Jul 2017 12:47:10 -0600 Subject: [PATCH 232/292] Fix Vagrantfile merge of ANSIBLE_VARS into ansible.extra_vars (#852) --- Vagrantfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Vagrantfile b/Vagrantfile index 9e8fc6c7ed..4102f4f804 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -115,7 +115,7 @@ Vagrant.configure('2') do |config| if vars = ENV['ANSIBLE_VARS'] extra_vars = Hash[vars.split(',').map { |pair| pair.split('=') }] - ansible.extra_vars.merge(extra_vars) + ansible.extra_vars.merge!(extra_vars) end end From e58a66c0f93cba87494268c4bbc1686991631d0a Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sun, 30 Jul 2017 12:12:04 -0600 Subject: [PATCH 233/292] Deploys: Update WP theme paths for multisite subsites Enables Trellis deploys to update template_root and stylesheet_root WP options also for multisite subsites, not just the primary site. Multisite operators who wish to avoid the processing time may define `update_wp_theme_paths: false` Limits targets via `select` statement in `with_subelements` instead of via the `when` condition. This prevents `skipped` output, which could otherwise be very lengthy if an installation has many subsites. --- roles/deploy/hooks/finalize-after.yml | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/roles/deploy/hooks/finalize-after.yml b/roles/deploy/hooks/finalize-after.yml index a6a2b99e6c..f99be1006e 100644 --- a/roles/deploy/hooks/finalize-after.yml +++ b/roles/deploy/hooks/finalize-after.yml @@ -12,24 +12,33 @@ when: project.update_db_on_deploy | default(update_db_on_deploy) - name: Get WP theme template and stylesheet roots - command: wp option get {{ item }} --skip-plugins --skip-themes + shell: > + {% if not project.multisite.enabled | default(false) %} + wp option get {{ item }} --skip-plugins --skip-themes + {% else %} + wp site list --field=url | xargs -I {} bash -c 'export url="{}"; echo -n "$url " && wp option get {{ item }} --skip-plugins --skip-themes --url=$url || echo' + {% endif %} args: chdir: "{{ deploy_helper.current_path }}" register: wp_template_root changed_when: false failed_when: wp_template_root.stderr != "" + when: update_wp_theme_paths | default(true) | bool with_items: - template_root - stylesheet_root - name: Update WP theme paths command: > - wp option set {{ item.item }} - {{ item.stdout | regex_replace(deploy_helper.releases_path + '/[^/]+(.*)', deploy_helper.new_release_path + '\1') }} + wp option set {{ item[0].option }} + {{ item[1] | regex_replace('.*' + deploy_helper.releases_path + '/[^/]*(.*)', deploy_helper.new_release_path + '\1') }} + {% if project.multisite.enabled | default(false) %} --url={{ item[1].split(' ')[0] }}{% endif %} args: chdir: "{{ deploy_helper.current_path }}" - when: deploy_helper.releases_path in item.stdout - with_items: "{{ wp_template_root.results }}" + when: update_wp_theme_paths | default(true) | bool + with_subelements: + - "[{% for result in wp_template_root.results %}{'option': '{{ result.item }}', 'stdout_lines': {{ result.stdout_lines | select('search', deploy_helper.releases_path) | list }}},{% endfor %}]" + - stdout_lines when: wp_installed | success From 3cf196a3ee6044f8b8af9f6de567a817f1322cc7 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Mon, 31 Jul 2017 22:11:47 +0800 Subject: [PATCH 234/292] Nginx: Skip caching WP API --- roles/wordpress-setup/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wordpress-setup/defaults/main.yml b/roles/wordpress-setup/defaults/main.yml index d987f25560..9938f7dbc1 100644 --- a/roles/wordpress-setup/defaults/main.yml +++ b/roles/wordpress-setup/defaults/main.yml @@ -14,7 +14,7 @@ hsts_preload: "{{ item.value.ssl.hsts_preload | default(nginx_hsts_preload) | te # Fastcgi cache params nginx_cache_duration: 30s -nginx_skip_cache_uri: /wp-admin/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml +nginx_skip_cache_uri: /wp-admin/|/wp-json/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml nginx_skip_cache_cookie: comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in # Nginx includes From b3eb2e7efd780d98d8f40a06232252977327109f Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Wed, 2 Aug 2017 06:53:22 +0800 Subject: [PATCH 235/292] Allow overriding php-fpm params by ansible variables --- roles/wordpress-setup/defaults/main.yml | 7 +++++++ roles/wordpress-setup/templates/php-fpm.conf.j2 | 10 +++++----- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/roles/wordpress-setup/defaults/main.yml b/roles/wordpress-setup/defaults/main.yml index 9938f7dbc1..b9ee0ff516 100644 --- a/roles/wordpress-setup/defaults/main.yml +++ b/roles/wordpress-setup/defaults/main.yml @@ -22,3 +22,10 @@ nginx_includes_templates_path: nginx-includes nginx_includes_deprecated: roles/wordpress-setup/templates/includes.d nginx_includes_pattern: "^({{ nginx_includes_templates_path | regex_escape }}|{{ nginx_includes_deprecated | regex_escape }})/(.*)\\.j2$" nginx_includes_d_cleanup: true + +# PHP FPM +php_fpm_pm_max_children: 10 +php_fpm_pm_start_servers: 1 +php_fpm_pm_min_spare_servers: 1 +php_fpm_pm_max_spare_servers: 3 +php_fpm_pm_max_requests: 500 diff --git a/roles/wordpress-setup/templates/php-fpm.conf.j2 b/roles/wordpress-setup/templates/php-fpm.conf.j2 index b1ea80ec40..1464745633 100644 --- a/roles/wordpress-setup/templates/php-fpm.conf.j2 +++ b/roles/wordpress-setup/templates/php-fpm.conf.j2 @@ -7,11 +7,11 @@ listen.group = www-data user = {{ web_user }} group = {{ web_group }} pm = dynamic -pm.max_children = 10 -pm.start_servers = 1 -pm.min_spare_servers = 1 -pm.max_spare_servers = 3 -pm.max_requests = 500 +pm.max_children = {{ php_fpm_pm_max_children }} +pm.start_servers = {{ php_fpm_pm_start_servers }} +pm.min_spare_servers = {{ php_fpm_pm_min_spare_servers }} +pm.max_spare_servers = {{ php_fpm_pm_max_spare_servers }} +pm.max_requests = {{ php_fpm_pm_max_requests }} chdir = {{ www_root }}/ php_flag[log_errors] = on php_flag[display_errors] = {{ php_display_errors }} From f918e9641961424a1a92411a93ef8ec95a7533fd Mon Sep 17 00:00:00 2001 From: Date: Thu, 3 Aug 2017 08:00:12 -0700 Subject: [PATCH 236/292] Remove multisite.cron from group_vars --- group_vars/development/wordpress_sites.yml | 1 - group_vars/production/wordpress_sites.yml | 1 - group_vars/staging/wordpress_sites.yml | 1 - 3 files changed, 3 deletions(-) diff --git a/group_vars/development/wordpress_sites.yml b/group_vars/development/wordpress_sites.yml index 4b368b8297..5153ccc612 100644 --- a/group_vars/development/wordpress_sites.yml +++ b/group_vars/development/wordpress_sites.yml @@ -12,7 +12,6 @@ wordpress_sites: admin_email: admin@example.dev multisite: enabled: false - cron: false ssl: enabled: false provider: self-signed diff --git a/group_vars/production/wordpress_sites.yml b/group_vars/production/wordpress_sites.yml index dacb3f8843..e8a875d1ca 100644 --- a/group_vars/production/wordpress_sites.yml +++ b/group_vars/production/wordpress_sites.yml @@ -14,7 +14,6 @@ wordpress_sites: branch: master multisite: enabled: false - cron: false ssl: enabled: false provider: letsencrypt diff --git a/group_vars/staging/wordpress_sites.yml b/group_vars/staging/wordpress_sites.yml index 7b80c7c9b0..054770ea7a 100644 --- a/group_vars/staging/wordpress_sites.yml +++ b/group_vars/staging/wordpress_sites.yml @@ -14,7 +14,6 @@ wordpress_sites: branch: master multisite: enabled: false - cron: false ssl: enabled: false provider: letsencrypt From 0c3fc0c5efe547f720b310e112e802910358d01d Mon Sep 17 00:00:00 2001 From: Date: Thu, 3 Aug 2017 08:01:06 -0700 Subject: [PATCH 237/292] Only one cron task should be created for multisite --- roles/wordpress-setup/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/wordpress-setup/tasks/main.yml b/roles/wordpress-setup/tasks/main.yml index 9ce8258f69..1ca11d9910 100644 --- a/roles/wordpress-setup/tasks/main.yml +++ b/roles/wordpress-setup/tasks/main.yml @@ -49,7 +49,7 @@ job: "cd {{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }} && wp cron event run --due-now > /dev/null 2>&1" cron_file: "wordpress-{{ item.key | replace('.', '_') }}" with_dict: "{{ wordpress_sites }}" - when: cron_enabled + when: cron_enabled and not item.value.multisite.enabled - name: Setup WP Multisite system cron cron: @@ -59,4 +59,4 @@ job: "cd {{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }} && wp site list --field=url | xargs -n1 -I \\% wp --url=\\% cron event run --due-now > /dev/null 2>&1" cron_file: "wordpress-multisite-{{ item.key | replace('.', '_') }}" with_dict: "{{ wordpress_sites }}" - when: item.value.multisite.enabled and cron_enabled + when: cron_enabled and item.value.multisite.enabled From d8ec407923efe77c491a309eae8b1bca53684945 Mon Sep 17 00:00:00 2001 From: Reid Beels Date: Mon, 7 Aug 2017 10:11:51 -0700 Subject: [PATCH 238/292] Allow customization of the nginx package name The nginx/development PPA includes several variants of nginx each built with different collections of modules: nginx-core (default), nginx-light, nginx-full, and nginx-extras. This small change allows the nginx package installed by Trellis to be customized via the `nginx_package` variable. --- roles/nginx/defaults/main.yml | 1 + roles/nginx/tasks/main.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml index 27242dc605..edcea65aba 100644 --- a/roles/nginx/defaults/main.yml +++ b/roles/nginx/defaults/main.yml @@ -1,4 +1,5 @@ --- +nginx_package: nginx nginx_conf: nginx.conf.j2 nginx_path: /etc/nginx nginx_logs_root: /var/log/nginx diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 180e0101e7..b84d8d5c60 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -6,7 +6,7 @@ - name: Install Nginx apt: - name: nginx + name: "{{ nginx_package }}" state: present force: yes From aa2bc791a49c2516c1418813547efd6434db850c Mon Sep 17 00:00:00 2001 From: Reid Beels Date: Mon, 7 Aug 2017 10:29:26 -0700 Subject: [PATCH 239/292] Load modules-enabled config files The nginx package was updated earlier this year to include `modules-available` and `modules-enabled` directories in `/etc/nginx`. This adds loading of conf files from modules-enabled to the top of the trellis nginx.conf (in a new `modules_enabled` block). --- roles/nginx/templates/nginx.conf.j2 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2 index f72d73e8db..9e3b5c95c8 100644 --- a/roles/nginx/templates/nginx.conf.j2 +++ b/roles/nginx/templates/nginx.conf.j2 @@ -3,6 +3,10 @@ # nginx Configuration File # http://wiki.nginx.org/Configuration +{% block modules_enabled -%} +include modules-enabled/*.conf; +{% endblock %} + {% block user %} # Run as a less privileged user for security reasons. user {{ nginx_user }}; From 7ae7768472fed56eba64e466c3fdfede92a677ef Mon Sep 17 00:00:00 2001 From: Reid Beels Date: Mon, 7 Aug 2017 10:41:46 -0700 Subject: [PATCH 240/292] Allow customization of nginx PPA --- roles/nginx/defaults/main.yml | 1 + roles/nginx/tasks/main.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml index edcea65aba..e64a3bc276 100644 --- a/roles/nginx/defaults/main.yml +++ b/roles/nginx/defaults/main.yml @@ -1,4 +1,5 @@ --- +nginx_ppa: "ppa:nginx/development" nginx_package: nginx nginx_conf: nginx.conf.j2 nginx_path: /etc/nginx diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index b84d8d5c60..f9d6cdbadc 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: Add Nginx PPA apt_repository: - repo: "ppa:nginx/development" + repo: "{{ nginx_ppa }}" update_cache: yes - name: Install Nginx From ecc40b66ec21260135e8d5df8bc091ca3925a981 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Thu, 10 Aug 2017 19:47:06 -0600 Subject: [PATCH 241/292] Add fastcgi_read_timeout --- CHANGELOG.md | 1 + roles/nginx/defaults/main.yml | 1 + roles/nginx/templates/nginx.conf.j2 | 1 + 3 files changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index f5f4cf9057..4608ff18d0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Add `fastcgi_read_timeout` to Nginx config ([#860](https://github.com/roots/trellis/pull/860)) * Accommodate child themes: Update WP `stylesheet_root` separately ([#850](https://github.com/roots/trellis/pull/850)) * Deploys: `--skip-themes` when updating WP `template_root` ([#849](https://github.com/roots/trellis/pull/849)) * Option to install WP-CLI packages ([#837](https://github.com/roots/trellis/pull/837)) diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml index e64a3bc276..b12723a34f 100644 --- a/roles/nginx/defaults/main.yml +++ b/roles/nginx/defaults/main.yml @@ -7,6 +7,7 @@ nginx_logs_root: /var/log/nginx nginx_user: www-data nginx_fastcgi_buffers: 8 8k nginx_fastcgi_buffer_size: 8k +nginx_fastcgi_read_timeout: 60s nginx_sites_confs: - src: no-default.conf.j2 diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2 index f72d73e8db..c7fb4660d5 100644 --- a/roles/nginx/templates/nginx.conf.j2 +++ b/roles/nginx/templates/nginx.conf.j2 @@ -55,6 +55,7 @@ http { # Setup the fastcgi cache. fastcgi_buffers {{ nginx_fastcgi_buffers }}; fastcgi_buffer_size {{ nginx_fastcgi_buffer_size }}; + fastcgi_read_timeout {{ nginx_fastcgi_read_timeout }}; fastcgi_cache_path {{ nginx_cache_path }} levels=1:2 keys_zone=wordpress:{{ nginx_cache_key_storage_size }} max_size={{ nginx_cache_size }} inactive={{ nginx_cache_inactive }}; fastcgi_cache_use_stale updating error timeout invalid_header http_500; fastcgi_cache_lock on; From dfe8eaef6c168586fa51bcc0609e2462ddbe10f3 Mon Sep 17 00:00:00 2001 From: Mockey Date: Sat, 12 Aug 2017 13:19:36 +0100 Subject: [PATCH 242/292] Update `vagrant_box_version` to current version v2.3.8 --- vagrant.default.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vagrant.default.yml b/vagrant.default.yml index 4c5f5e8f3c..b5ebedfc33 100644 --- a/vagrant.default.yml +++ b/vagrant.default.yml @@ -3,7 +3,7 @@ vagrant_ip: '192.168.50.5' vagrant_cpus: 1 vagrant_memory: 1024 # in MB vagrant_box: 'bento/ubuntu-16.04' -vagrant_box_version: '2.2.9' +vagrant_box_version: '<= 2.3.8' vagrant_ansible_version: '2.3.0' vagrant_skip_galaxy: false From 7c4c5eb937a5feab05237c73433a49629a436b87 Mon Sep 17 00:00:00 2001 From: Patrick Artounian Date: Sat, 12 Aug 2017 10:04:33 -0700 Subject: [PATCH 243/292] Only include *.conf files in sites-enabled/ --- roles/nginx/templates/nginx.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2 index f72d73e8db..0f71635be3 100644 --- a/roles/nginx/templates/nginx.conf.j2 +++ b/roles/nginx/templates/nginx.conf.j2 @@ -169,6 +169,6 @@ http { {% endblock %} {% block sites_enabled -%} - include sites-enabled/*; + include sites-enabled/*.conf; {% endblock %} } From 460322f6628e2e18027315b514d89a7c99eeac73 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Sun, 13 Aug 2017 19:58:28 -0600 Subject: [PATCH 244/292] Match fastcgi_read_timeout to php_max_execution_time --- roles/nginx/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml index b12723a34f..c3b00c2fdf 100644 --- a/roles/nginx/defaults/main.yml +++ b/roles/nginx/defaults/main.yml @@ -7,7 +7,7 @@ nginx_logs_root: /var/log/nginx nginx_user: www-data nginx_fastcgi_buffers: 8 8k nginx_fastcgi_buffer_size: 8k -nginx_fastcgi_read_timeout: 60s +nginx_fastcgi_read_timeout: 120s nginx_sites_confs: - src: no-default.conf.j2 From 17a753c7d257809f8896b73b34a9bf5f764f7ec3 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Sat, 8 Apr 2017 17:40:10 -0400 Subject: [PATCH 245/292] Add ansible_local support for non-Windows Previously only Windows would use Vagrant's `ansible_local` provisioner. But it's a much easier experience to get started in development since it skips the Ansible requirement. This automatically uses the `ansible_local` provisioner if `ansible-playbook` does not exist on the host machine. --- CHANGELOG.md | 1 + README.md | 11 ++++++----- Vagrantfile | 6 +++--- lib/trellis/vagrant.rb | 17 +++++++++++++++++ 4 files changed, 27 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4608ff18d0..82a352e6b9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Add ansible_local support for non-Windows ([#824](https://github.com/roots/trellis/pull/824)) * Add `fastcgi_read_timeout` to Nginx config ([#860](https://github.com/roots/trellis/pull/860)) * Accommodate child themes: Update WP `stylesheet_root` separately ([#850](https://github.com/roots/trellis/pull/850)) * Deploys: `--skip-themes` when updating WP `template_root` ([#849](https://github.com/roots/trellis/pull/849)) diff --git a/README.md b/README.md index ede7f1335b..796f26f4d7 100644 --- a/README.md +++ b/README.md @@ -27,11 +27,14 @@ Trellis will configure a server with the following and more: * Fail2ban * ferm +## Documentation + +Full documentation is available at [https://roots.io/trellis/docs/](https://roots.io/trellis/docs/). + ## Requirements Make sure all dependencies have been installed before moving on: -* [Ansible](http://docs.ansible.com/ansible/intro_installation.html#latest-releases-via-pip) >= 2.2 * [Virtualbox](https://www.virtualbox.org/wiki/Downloads) >= 4.3.10 * [Vagrant](https://www.vagrantup.com/downloads.html) >= 1.8.5 @@ -56,10 +59,6 @@ See a complete working example in the [roots-example-project.com repo](https://g Windows user? [Read the Windows docs](https://roots.io/trellis/docs/windows/) for slightly different installation instructions. VirtualBox is known to have poor performance in Windows — use VMware or [see some possible solutions](https://discourse.roots.io/t/virtualbox-performance-in-windows/3932). -## Documentation - -Trellis documentation is available at [https://roots.io/trellis/docs/](https://roots.io/trellis/docs/). - ## Local development setup 1. Configure your WordPress sites in `group_vars/development/wordpress_sites.yml` and in `group_vars/development/vault.yml` @@ -69,6 +68,8 @@ Trellis documentation is available at [https://roots.io/trellis/docs/](https://r ## Remote server setup (staging/production) +For remote servers, installing Ansible locally is an additional requirement. See the [docs](https://roots.io/trellis/docs/remote-server-setup/#requirements) for more information. + A base Ubuntu 16.04 server is required for setting up remote servers. OS X users must have [passlib](http://pythonhosted.org/passlib/install.html#installation-instructions) installed. 1. Configure your WordPress sites in `group_vars//wordpress_sites.yml` and in `group_vars//vault.yml` (see the [Vault docs](https://roots.io/trellis/docs/vault/) for how to encrypt files containing passwords) diff --git a/Vagrantfile b/Vagrantfile index 4102f4f804..8982985d9b 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -91,11 +91,11 @@ Vagrant.configure('2') do |config| end end - provisioner = Vagrant::Util::Platform.windows? ? :ansible_local : :ansible - provisioning_path = Vagrant::Util::Platform.windows? ? ANSIBLE_PATH_ON_VM : ANSIBLE_PATH + provisioner = local_provisioning? ? :ansible_local : :ansible + provisioning_path = local_provisioning? ? ANSIBLE_PATH_ON_VM : ANSIBLE_PATH config.vm.provision provisioner do |ansible| - if Vagrant::Util::Platform.windows? + if local_provisioning? ansible.install_mode = 'pip' ansible.provisioning_path = provisioning_path ansible.version = vconfig.fetch('vagrant_ansible_version') diff --git a/lib/trellis/vagrant.rb b/lib/trellis/vagrant.rb index d25b44fe59..bc036b8afd 100644 --- a/lib/trellis/vagrant.rb +++ b/lib/trellis/vagrant.rb @@ -62,6 +62,10 @@ def load_wordpress_sites wordpress_sites end +def local_provisioning? + @local_provisioning ||= Vagrant::Util::Platform.windows? || !which('ansible-playbook') || ENV['FORCE_ANSIBLE_LOCAL'] +end + def local_site_path(site) File.expand_path(site['local_path'], ANSIBLE_PATH) end @@ -90,3 +94,16 @@ def post_up_message def remote_site_path(site_name, site) "/srv/www/#{site_name}/#{site['current_path'] || 'current'}" end + +def which(cmd) + exts = ENV['PATHEXT'] ? ENV['PATHEXT'].split(';') : [''] + + paths = ENV['PATH'].split(File::PATH_SEPARATOR).flat_map do |path| + exts.map { |ext| File.join(path, "#{cmd}#{ext}") } + end + + paths.any? do |path| + next unless File.executable?(path) && !File.directory?(path) + system("#{path} --help", %i(out err) => File::NULL) + end +end From 4459ab5b9eb7f7cd235debb62eab23ba18820b72 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 15 Aug 2017 23:16:03 -0400 Subject: [PATCH 246/292] CHANGELOG updates --- CHANGELOG.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 82a352e6b9..85654bda19 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,11 @@ ### HEAD * Add ansible_local support for non-Windows ([#824](https://github.com/roots/trellis/pull/824)) +* Load `modules-enabled` config files in Nginx ([#859](https://github.com/roots/trellis/pull/859)) +* Only include \*.conf files in Nginx `sites-enabled/` ([#862](https://github.com/roots/trellis/pull/862)) * Add `fastcgi_read_timeout` to Nginx config ([#860](https://github.com/roots/trellis/pull/860)) +* Allow customization of the Nginx package name and PPA ([#858](https://github.com/roots/trellis/pull/858)) +* Nginx microcaching: skip caching WP API requests ([#855](https://github.com/roots/trellis/pull/855)) +* Allow overriding more php-fpm params ([#856](https://github.com/roots/trellis/pull/856)) * Accommodate child themes: Update WP `stylesheet_root` separately ([#850](https://github.com/roots/trellis/pull/850)) * Deploys: `--skip-themes` when updating WP `template_root` ([#849](https://github.com/roots/trellis/pull/849)) * Option to install WP-CLI packages ([#837](https://github.com/roots/trellis/pull/837)) From f130ce3afbfbb4649fdd85160707e2c0116721f6 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Tue, 29 Aug 2017 19:26:41 -0500 Subject: [PATCH 247/292] Update wp-cli to 1.3.0 --- roles/wp-cli/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wp-cli/defaults/main.yml b/roles/wp-cli/defaults/main.yml index bc19f77a82..8d70ab8527 100644 --- a/roles/wp-cli/defaults/main.yml +++ b/roles/wp-cli/defaults/main.yml @@ -1,4 +1,4 @@ -wp_cli_version: 1.2.1 +wp_cli_version: 1.3.0 wp_cli_bin_path: /usr/bin/wp wp_cli_phar_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar" wp_cli_completion_url: "https://raw.githubusercontent.com/wp-cli/wp-cli/v{{ wp_cli_version }}/utils/wp-completion.bash" From 6e2607829acf97fada6121e56b85633d603a2836 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Wed, 30 Aug 2017 09:35:34 +0800 Subject: [PATCH 248/292] Update ansible galaxy roles --- requirements.yml | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/requirements.yml b/requirements.yml index 15c9e891ba..a5dbaf621d 100644 --- a/requirements.yml +++ b/requirements.yml @@ -1,10 +1,10 @@ - name: composer src: geerlingguy.composer - version: 1.5.0 + version: 1.6.1 - name: ntp src: geerlingguy.ntp - version: 1.3.0 + version: 1.5.2 - name: logrotate src: nickhammond.logrotate @@ -12,11 +12,8 @@ - name: swapfile src: kamaln7.swapfile - version: 0.4 - -- src: geerlingguy.daemonize - version: 1.1.1 + version: 4850d8a - name: mailhog src: geerlingguy.mailhog - version: 2.1.0 + version: 2.1.3 From d29fe4d3fb84d992b57c9cd3ad7cb53567dfa282 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Fri, 1 Sep 2017 20:20:21 +0800 Subject: [PATCH 249/292] Nginx Site Template: Make ssl-stapling.conf optional --- group_vars/all/helpers.yml | 1 + roles/wordpress-setup/templates/wordpress-site.conf.j2 | 2 ++ 2 files changed, 3 insertions(+) diff --git a/group_vars/all/helpers.yml b/group_vars/all/helpers.yml index 61cb734133..d0ab088e3c 100644 --- a/group_vars/all/helpers.yml +++ b/group_vars/all/helpers.yml @@ -15,4 +15,5 @@ site_hosts_redirects: "{{ item.value.site_hosts | selectattr('redirects', 'defin site_hosts: "{{ site_hosts_canonical | union(site_hosts_redirects) }}" multisite_subdomains_wildcards: "{{ item.value.multisite.subdomains | default(false) | ternary( site_hosts_canonical | map('regex_replace', '^(www\\.)?(.*)$', '*.\\2') | list, [] ) }}" ssl_enabled: "{{ item.value.ssl is defined and item.value.ssl.enabled | default(false) }}" +ssl_stapling_enabled: "{{ item.value.ssl is defined and item.value.ssl.stapling_enabled | default(true) }}" cron_enabled: "{{ site_env.disable_wp_cron and (not item.value.multisite.enabled | default(false) or (item.value.multisite.enabled | default(false) and item.value.multisite.cron | default(true))) }}" diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index 2c2aebb524..28e60da956 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -68,7 +68,9 @@ server { {% if ssl_enabled -%} # SSL configuration include h5bp/directive-only/ssl.conf; + {% if ssl_stapling_enabled -%} include h5bp/directive-only/ssl-stapling.conf; + {% endif -%} ssl_dhparam /etc/nginx/ssl/dhparams.pem; ssl_buffer_size 1400; # 1400 bytes to fit in one MTU From 5e944b2fe5d1b554b3748482d5c20b7f4935c7d4 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Sat, 2 Sep 2017 01:37:30 +0800 Subject: [PATCH 250/292] Update h5bp --- roles/nginx/defaults/main.yml | 2 +- roles/nginx/tasks/main.yml | 2 +- roles/nginx/templates/nginx.conf.j2 | 97 ++++++++++++------- roles/nginx/templates/no-default.conf.j2 | 2 +- roles/wordpress-setup/defaults/main.yml | 12 +++ .../templates/wordpress-site.conf.j2 | 39 +++++++- 6 files changed, 114 insertions(+), 40 deletions(-) diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml index c3b00c2fdf..f70ca149a8 100644 --- a/roles/nginx/defaults/main.yml +++ b/roles/nginx/defaults/main.yml @@ -4,7 +4,7 @@ nginx_package: nginx nginx_conf: nginx.conf.j2 nginx_path: /etc/nginx nginx_logs_root: /var/log/nginx -nginx_user: www-data +nginx_user: www-data www-data nginx_fastcgi_buffers: 8 8k nginx_fastcgi_buffer_size: 8k nginx_fastcgi_read_timeout: 120s diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index f9d6cdbadc..153605de6b 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -29,7 +29,7 @@ git: repo: "https://github.com/h5bp/server-configs-nginx.git" dest: "{{ nginx_path }}/h5bp-server-configs" - version: 82181a672a7c26f9bc8744fead80318d8a2520b1 + version: c5c6602232e0976d9e69d69874aa84d2a2698265 force: yes - name: Move h5bp configs diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2 index bf3794eb21..e9b4372202 100644 --- a/roles/nginx/templates/nginx.conf.j2 +++ b/roles/nginx/templates/nginx.conf.j2 @@ -1,49 +1,51 @@ # {{ ansible_managed }} -# nginx Configuration File -# http://wiki.nginx.org/Configuration +# Configuration File - Nginx Server Configs +# http://nginx.org/en/docs/dirindex.html {% block modules_enabled -%} include modules-enabled/*.conf; {% endblock %} {% block user %} -# Run as a less privileged user for security reasons. +# Run as a unique, less privileged user for security reasons. +# Default: nobody nobody user {{ nginx_user }}; {% endblock %} {% block worker %} -# How many worker threads to run; -# "auto" sets it to the number of CPU cores available in the system, and -# offers the best performance. Don't set it higher than the number of CPU -# cores if changing this parameter. - -# The maximum number of connections for Nginx is calculated by: -# max_clients = worker_processes * worker_connections +# Sets the worker threads to the number of CPU cores available in the system for best performance. +# Should be > the number of CPU cores. +# Maximum number of connections = worker_processes * worker_connections +# Default: 1 worker_processes auto; -# Maximum open file descriptors per process; -# should be > worker_connections. +# Maximum number of open files per worker process. +# Should be > worker_connections. +# Default: no limit worker_rlimit_nofile 8192; {% endblock %} {% block events %} events { - # When you need > 8000 * cpu_cores connections, you start optimizing your OS, - # and this is probably the point at which you hire people who are smarter than - # you, as this is *a lot* of requests. + # If you need more connections than this, you start optimizing your OS. + # That's probably the point at which you hire people who are smarter than you as this is *a lot* of requests. + # Should be < worker_rlimit_nofile. + # Default: 512 worker_connections 8000; } {% endblock %} {% block error_log %} -# Default error log file -# (this is only used when you don't override error_log on a server{} level) +# Log errors and warnings to this file +# This is only used when you don't override it on a server{} level +# Default: logs/error.log error error_log {{ nginx_logs_root }}/error.log warn; {% endblock %} {% block pid %} # The file storing the process ID of the main process +# Default: nginx.pid pid /run/nginx.pid; {% endblock %} @@ -52,6 +54,7 @@ http { {% block server_tokens -%} # Hide nginx version information. + # Default: on server_tokens off; {% endblock %} @@ -70,75 +73,100 @@ http { {% endblock %} {% block mime_types -%} - # Define the MIME types for files. + # Specify MIME types for files. include h5bp-server-configs/mime.types; + + # Default: text/plain default_type application/octet-stream; {% endblock %} {% block charset_types -%} - # Update charset_types due to updated mime.types - charset_types text/css text/plain text/vnd.wap.wml application/javascript application/json application/rss+xml application/xml; + # Update charset_types to match updated mime.types. + # text/html is always included by charset module. + # Default: text/html text/xml text/plain text/vnd.wap.wml application/javascript application/rss+xml + charset_types + text/css + text/plain + text/vnd.wap.wml + application/javascript + application/json + application/rss+xml + application/xml; {% endblock %} {% block log_format -%} - # Format to use in log files + # Include $http_x_forwarded_for within default format used in log files log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; {% endblock %} {% block access_log -%} - # Default log file - # (this is only used when you don't override access_log on a server{} level) + # Log access to this file + # This is only used when you don't override it on a server{} level + # Default: logs/access.log combined access_log {{ nginx_logs_root }}/access.log main; {% endblock %} {% block keepalive -%} - # How long to allow each connection to stay idle; longer values are better - # for each individual client, particularly for SSL, but means that worker - # connections are tied up longer. (Default: 65) - keepalive_timeout 20; + # How long to allow each connection to stay idle. + # Longer values are better for each individual client, particularly for SSL, + # but means that worker connections are tied up longer. + # Default: 75s + keepalive_timeout 20s; {% endblock %} {% block sendfile -%} # Speed up file transfers by using sendfile() to copy directly # between descriptors rather than using read()/write(). + # For performance reasons, on FreeBSD systems w/ ZFS + # this option should be disabled as ZFS's ARC caches + # frequently used files in RAM by default. + # Default: off sendfile on; {% endblock %} {% block tcp_nopush -%} - # Tell Nginx not to send out partial frames; this increases throughput - # since TCP frames are filled up before being sent out. (adds TCP_CORK) + # Don't send out partial frames; this increases throughput + # since TCP frames are filled up before being sent out. + # Default: off tcp_nopush on; {% endblock %} {% block compression -%} # Compression - # Enable Gzip compressed. + # Enable gzip compression. + # Default: off gzip on; # Compression level (1-9). - # 5 is a perfect compromise between size and cpu usage, offering about - # 75% reduction for most ascii files (almost identical to level 9). + # 5 is a perfect compromise between size and CPU usage, offering about + # 75% reduction for most ASCII files (almost identical to level 9). + # Default: 1 gzip_comp_level 5; # Don't compress anything that's already small and unlikely to shrink much # if at all (the default is 20 bytes, which is bad as that usually leads to # larger files after gzipping). + # Default: 20 gzip_min_length 256; # Compress data even for clients that are connecting to us via proxies, # identified by the "Via" header (required for CloudFront). + # Default: off gzip_proxied any; # Tell proxies to cache both the gzipped and regular version of a resource # whenever the client's Accept-Encoding capabilities header varies; # Avoids the issue where a non-gzip capable client (which is extremely rare # today) would display gibberish if their proxy gave them the gzipped version. + # Default: off gzip_vary on; # Compress all output labeled with one of the following MIME-types. + # text/html is always compressed by gzip module. + # Default: text/html gzip_types application/atom+xml application/javascript @@ -164,7 +192,6 @@ http { text/vtt text/x-component text/x-cross-domain-policy; - # text/html is always compressed by HttpGzipModule # This should be turned on if you are going to have pre-compressed copies (.gz) of # static files available. If not it should be left off as it will cause extra I/O @@ -174,6 +201,10 @@ http { {% endblock %} {% block sites_enabled -%} + # Include files in the sites-enabled folder. server{} configuration files should be + # placed in the sites-available folder, and then the configuration should be enabled + # by creating a symlink to it in the sites-enabled folder. + # See doc/sites-enabled.md for more info. include sites-enabled/*.conf; {% endblock %} } diff --git a/roles/nginx/templates/no-default.conf.j2 b/roles/nginx/templates/no-default.conf.j2 index f12dd3e873..c29a32619e 100644 --- a/roles/nginx/templates/no-default.conf.j2 +++ b/roles/nginx/templates/no-default.conf.j2 @@ -8,6 +8,6 @@ # returning 444 "no response". server { - listen 80 default_server; + listen [::]:80 default_server; return 444; } diff --git a/roles/wordpress-setup/defaults/main.yml b/roles/wordpress-setup/defaults/main.yml index b9ee0ff516..e6bee8ab26 100644 --- a/roles/wordpress-setup/defaults/main.yml +++ b/roles/wordpress-setup/defaults/main.yml @@ -23,6 +23,18 @@ nginx_includes_deprecated: roles/wordpress-setup/templates/includes.d nginx_includes_pattern: "^({{ nginx_includes_templates_path | regex_escape }}|{{ nginx_includes_deprecated | regex_escape }})/(.*)\\.j2$" nginx_includes_d_cleanup: true +# h5bp helpers +not_dev: "{{ env != 'development' }}" +h5bp: "{{ item.value.h5bp | default({}) }}" +h5bp_cache_file_descriptors_enabled: "{{ h5bp.cache_file_descriptors | default(not_dev) }}" +h5bp_extra_security_enabled: "{{ h5bp.extra_security | default(true) }}" +h5bp_no_transform_enabled: "{{ h5bp.no_transform | default(false) }}" +h5bp_x_ua_compatible_enabled: "{{ h5bp.x_ua_compatible | default(true) }}" +h5bp_cache_busting_enabled: "{{ h5bp.cache_busting | default(not_dev) }}" +h5bp_cross_domain_fonts_enabled: "{{ h5bp.cross_domain_fonts | default(true) }}" +h5bp_expires_enabled: "{{ h5bp.expires | default(not_dev) }}" +h5bp_protect_system_files_enabled: "{{ h5bp.protect_system_files | default(true) }}" + # PHP FPM php_fpm_pm_max_children: 10 php_fpm_pm_start_servers: 1 diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index 28e60da956..fcd332ecd3 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -4,6 +4,7 @@ server { {% block server_id -%} + listen {{ ssl_enabled | ternary('[::]:443 ssl http2', '[::]:80') }}; listen {{ ssl_enabled | ternary('443 ssl http2', '80') }}; server_name {{ site_hosts_canonical | union(multisite_subdomains_wildcards) | join(' ') }}; {% endblock %} @@ -17,6 +18,8 @@ server { root {{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }}/web; index index.php index.htm index.html; add_header Fastcgi-Cache $upstream_cache_status; + + # Specify a charset charset utf-8; # Set the max body size equal to PHP's max POST size. @@ -118,10 +121,38 @@ server { {% endblock %} {% block h5bp -%} - include h5bp/directive-only/x-ua-compatible.conf; + {% if h5bp_cache_file_descriptors_enabled -%} + include h5bp/directive-only/cache-file-descriptors.conf; + {% endif -%} + + {% if h5bp_extra_security_enabled -%} include h5bp/directive-only/extra-security.conf; + {% endif -%} + + {% if h5bp_no_transform_enabled -%} + include h5bp/directive-only/no-transform.conf; + {% endif -%} + + {% if h5bp_x_ua_compatible_enabled -%} + include h5bp/directive-only/x-ua-compatible.conf; + {% endif -%} + + {% if h5bp_cache_busting_enabled -%} + include h5bp/location/cache-busting.conf + {% endif -%} + + {% if h5bp_cross_domain_fonts_enabled -%} include h5bp/location/cross-domain-fonts.conf; + {% endif -%} + + {% if h5bp_expires_enabled -%} + include h5bp/location/expires.conf; + {% endif -%} + + {% if h5bp_protect_system_files_enabled -%} include h5bp/location/protect-system-files.conf; + {% endif -%} + {% endblock %} {% block location_php -%} @@ -158,6 +189,7 @@ server { {% if ssl_enabled %} # Redirect to https server { + listen [::]:80; listen 80; server_name {{ site_hosts | union(multisite_subdomains_wildcards) | join(' ') }}; @@ -177,6 +209,7 @@ server { {% endif %} {% for host in item.value.site_hosts if host.redirects | default([]) %} server { + listen {{ ssl_enabled | ternary('[::]:443 ssl http2', '[::]:80') }}; listen {{ ssl_enabled | ternary('443 ssl http2', '80') }}; server_name {{ host.redirects | join(' ') }}; @@ -184,9 +217,7 @@ server { {{ self.acme_challenge() -}} - location / { - return 301 $scheme://{{ host.canonical }}$request_uri; - } + return 301 $scheme://{{ host.canonical }}$request_uri; } {% endfor %} {% endblock %} From 4cd1be12a8cfacf78af3a9a1302bea153f80e459 Mon Sep 17 00:00:00 2001 From: Dave Kiss Date: Mon, 4 Sep 2017 21:13:37 -0400 Subject: [PATCH 251/292] =?UTF-8?q?=F0=9F=90=9B=20add=20missing=20semicolo?= =?UTF-8?q?n?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- roles/wordpress-setup/templates/wordpress-site.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index fcd332ecd3..f844be2f76 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -138,7 +138,7 @@ server { {% endif -%} {% if h5bp_cache_busting_enabled -%} - include h5bp/location/cache-busting.conf + include h5bp/location/cache-busting.conf; {% endif -%} {% if h5bp_cross_domain_fonts_enabled -%} From f2b81074c83475837e544a8aa5c3e909e760aa8a Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Fri, 8 Sep 2017 05:42:49 +0800 Subject: [PATCH 252/292] Nginx: Add include.d files to redirect domains (#879) --- roles/wordpress-setup/templates/wordpress-site.conf.j2 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index f844be2f76..236aaa2752 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -195,6 +195,8 @@ server { {{ self.acme_challenge() -}} + {{ self.includes_d() -}} + location / { return 301 https://$host$request_uri; } @@ -217,6 +219,8 @@ server { {{ self.acme_challenge() -}} + {{ self.includes_d() -}} + return 301 $scheme://{{ host.canonical }}$request_uri; } {% endfor %} From 7fb3706a7f831ebeaac7f331ce726c6116368119 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Fri, 8 Sep 2017 09:07:36 +0800 Subject: [PATCH 253/292] Nginx: Include includes.d/http/*.conf --- roles/nginx/templates/nginx.conf.j2 | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2 index e9b4372202..5a587d5434 100644 --- a/roles/nginx/templates/nginx.conf.j2 +++ b/roles/nginx/templates/nginx.conf.j2 @@ -199,6 +199,10 @@ http { # a specific directory, or on an individual server{} level. # gzip_static on; {% endblock %} + + {% block http_includes_d -%} + include includes.d/http/*.conf; + {% endblock -%} {% block sites_enabled -%} # Include files in the sites-enabled folder. server{} configuration files should be From 8b3bc5a59a479e1f41c9b8f8d7553bf4bbc34cdc Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Sun, 10 Sep 2017 09:40:43 +0800 Subject: [PATCH 254/292] WordPress Setup: Add Nginx ssl_client_certificate (#869) --- roles/wordpress-setup/tasks/main.yml | 2 ++ roles/wordpress-setup/tasks/nginx-client-cert.yml | 8 ++++++++ roles/wordpress-setup/templates/wordpress-site.conf.j2 | 5 +++++ 3 files changed, 15 insertions(+) create mode 100644 roles/wordpress-setup/tasks/nginx-client-cert.yml diff --git a/roles/wordpress-setup/tasks/main.yml b/roles/wordpress-setup/tasks/main.yml index de589d20ba..0e5c9f1c0b 100644 --- a/roles/wordpress-setup/tasks/main.yml +++ b/roles/wordpress-setup/tasks/main.yml @@ -3,6 +3,8 @@ tags: wordpress-setup-database - include: self-signed-certificate.yml tags: wordpress-setup-self-signed-certificate +- include: nginx-client-cert.yml + tags: wordpress-setup-nginx-client-cert - name: Create web root file: diff --git a/roles/wordpress-setup/tasks/nginx-client-cert.yml b/roles/wordpress-setup/tasks/nginx-client-cert.yml new file mode 100644 index 0000000000..49d810eee5 --- /dev/null +++ b/roles/wordpress-setup/tasks/nginx-client-cert.yml @@ -0,0 +1,8 @@ +--- +- name: Download client cert + get_url: + url: "{{ item.value.ssl.client_cert_url }}" + dest: "{{ nginx_ssl_path }}/client-{{ (item.value.ssl.client_cert_url | hash('md5'))[:7] }}.crt" + mode: 0640 + with_dict: "{{ wordpress_sites }}" + when: ssl_enabled and item.value.ssl.client_cert_url is defined diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index 236aaa2752..8b16cc8229 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -80,6 +80,11 @@ server { add_header Strict-Transport-Security "max-age={{ [hsts_max_age, hsts_include_subdomains, hsts_preload] | reject('none') | join('; ') }}"; + {% if item.value.ssl.client_cert_url is defined -%} + ssl_verify_client on; + ssl_client_certificate {{ nginx_ssl_path }}/client-{{ (item.value.ssl.client_cert_url | hash('md5'))[:7] }}.crt; + {% endif -%} + {% if item.value.ssl.provider | default('manual') == 'manual' and item.value.ssl.cert is defined and item.value.ssl.key is defined -%} ssl_certificate {{ nginx_path }}/ssl/{{ item.value.ssl.cert | basename }}; ssl_certificate_key {{ nginx_path }}/ssl/{{ item.value.ssl.key | basename }}; From ec9324ccbc1910115d382d0559784824084d683f Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Tue, 12 Sep 2017 13:38:28 -0600 Subject: [PATCH 255/292] Ensure updated H5BP nginx includes sync into place (#884) When outdated confs are already in place, the former `cp` will not copy updated confs into place due to `creates: "{{ nginx_path }}/h5bp/"`. Rsync will update the confs when necessary while remaining idempotent. --- roles/nginx/tasks/main.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 153605de6b..c457106389 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -33,9 +33,10 @@ force: yes - name: Move h5bp configs - command: cp -R {{ nginx_path }}/h5bp-server-configs/h5bp {{ nginx_path }}/h5bp - args: - creates: "{{ nginx_path }}/h5bp/" + command: rsync -ac --delete --info=NAME {{ nginx_path }}/h5bp-server-configs/h5bp/ {{ nginx_path }}/h5bp + register: h5bp_nginx_sync + changed_when: h5bp_nginx_sync.stdout != '' + notify: reload nginx - name: Create nginx.conf template: From 765f4cabd454254ff52d133751d51b3330ef3364 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Thu, 14 Sep 2017 20:26:17 -0600 Subject: [PATCH 256/292] Re-enable IPv4 connections in Nginx no-default.conf (#885) Ubuntu doesn't appear to support dual-stack sockets, even if ipv6only=off is added. Separate listen directives are necessary for no-default.conf to serve IPv4 and IPv6 connections to unknown hosts. Enable deferred accept() (the TCP_DEFER_ACCEPT socket option) to streamline usage of server processes. --- roles/nginx/tasks/main.yml | 1 + roles/nginx/templates/no-default.conf.j2 | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index c457106389..b042455fa0 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -57,6 +57,7 @@ dest: "{{ nginx_path }}/sites-available/{{ item.src | basename | regex_replace('.j2$', '') }}" with_items: "{{ nginx_sites_confs }}" when: item.enabled | default(true) + notify: reload nginx tags: nginx-sites - name: Enable or disable Nginx sites diff --git a/roles/nginx/templates/no-default.conf.j2 b/roles/nginx/templates/no-default.conf.j2 index c29a32619e..3a9bff2df6 100644 --- a/roles/nginx/templates/no-default.conf.j2 +++ b/roles/nginx/templates/no-default.conf.j2 @@ -8,6 +8,7 @@ # returning 444 "no response". server { - listen [::]:80 default_server; + listen [::]:80 default_server deferred; + listen 80 default_server deferred; return 444; } From 3ee2577965a93c905d0e42e7dcb42b343b769637 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Sat, 16 Sep 2017 14:32:08 -0500 Subject: [PATCH 257/292] Ansible: Retry ssh connection one more time Fix issues when using with non-standard ssh setups, for example: using with [Kryptonite](https://krypt.co/) --- ansible.cfg | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible.cfg b/ansible.cfg index 8181c710bf..3f42017488 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -12,3 +12,4 @@ vars_plugins = ~/.ansible/plugins/vars_plugins/:/usr/share/ansible_plugins/vars_ [ssh_connection] ssh_args = -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s pipelining = True +retries = 1 From 12ac783d24bc62b9426e88cc2c34d2294e1d078a Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Mon, 18 Sep 2017 12:12:49 -0600 Subject: [PATCH 258/292] Redirect directly to https canonical domain (#889) http://www.xyz.com -> http://xyz.com -> https://xyz.com becomes simply http://www.xyz.com -> https://xyz.com Also move return directive back into location block so that it will run only if acme challenge location is not matched. Otherwise Let's Encrypt validation in this server block would fail due to 301 redirect. --- .../templates/wordpress-site.conf.j2 | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2 index 8b16cc8229..3b8905846e 100644 --- a/roles/wordpress-setup/templates/wordpress-site.conf.j2 +++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2 @@ -196,7 +196,7 @@ server { server { listen [::]:80; listen 80; - server_name {{ site_hosts | union(multisite_subdomains_wildcards) | join(' ') }}; + server_name {{ site_hosts_canonical | union(multisite_subdomains_wildcards) | join(' ') }}; {{ self.acme_challenge() -}} @@ -216,8 +216,12 @@ server { {% endif %} {% for host in item.value.site_hosts if host.redirects | default([]) %} server { - listen {{ ssl_enabled | ternary('[::]:443 ssl http2', '[::]:80') }}; - listen {{ ssl_enabled | ternary('443 ssl http2', '80') }}; + {% if ssl_enabled -%} + listen [::]:443 ssl http2; + listen 443 ssl http2; + {% endif -%} + listen [::]:80; + listen 80; server_name {{ host.redirects | join(' ') }}; {{ self.https() -}} @@ -226,7 +230,9 @@ server { {{ self.includes_d() -}} - return 301 $scheme://{{ host.canonical }}$request_uri; + location / { + return 301 {{ ssl_enabled | ternary('https', 'http') }}://{{ host.canonical }}$request_uri; + } } {% endfor %} {% endblock %} From 883d598a040aa13ff9160796e453ca56d8c4e529 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Sun, 17 Sep 2017 05:29:24 +0800 Subject: [PATCH 259/292] Vagrant: Support DHCP --- Vagrantfile | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/Vagrantfile b/Vagrantfile index 8982985d9b..8f409c90d6 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -32,7 +32,23 @@ Vagrant.configure('2') do |config| config.ssh.shell = %{bash -c 'BASH_ENV=/etc/profile exec bash'} # Required for NFS to work - config.vm.network :private_network, ip: vconfig.fetch('vagrant_ip'), hostsupdater: 'skip' + if vconfig.fetch('vagrant_ip') == 'dhcp' + config.vm.network :private_network, type: 'dhcp', hostsupdater: 'skip' + + cached_addresses = {} + config.hostmanager.ip_resolver = proc do |vm, _resolving_vm| + if cached_addresses[vm.name].nil? + if vm.communicate.ready? + vm.communicate.execute("hostname -I | cut -d ' ' -f 2") do |type, contents| + cached_addresses[vm.name] = contents.split("\n").first[/(\d+\.\d+\.\d+\.\d+)/, 1] + end + end + end + cached_addresses[vm.name] + end + else + config.vm.network :private_network, ip: vconfig.fetch('vagrant_ip'), hostsupdater: 'skip' + end main_hostname, *hostnames = site_hosts.map { |host| host['canonical'] } config.vm.hostname = main_hostname From 109499e26ca401ebddda0c7b793af824917efb43 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Tue, 19 Sep 2017 02:59:48 +0800 Subject: [PATCH 260/292] Extract Trellis::Config (#890) --- Vagrantfile | 16 ++++----- lib/trellis/config.rb | 75 ++++++++++++++++++++++++++++++++++++++++++ lib/trellis/vagrant.rb | 31 ----------------- 3 files changed, 83 insertions(+), 39 deletions(-) create mode 100644 lib/trellis/config.rb diff --git a/Vagrantfile b/Vagrantfile index 8982985d9b..1adf4d3a50 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -5,6 +5,7 @@ ANSIBLE_PATH = __dir__ # absolute path to Ansible directory on host machine ANSIBLE_PATH_ON_VM = '/home/vagrant/trellis' # absolute path to Ansible directory on virtual machine require File.join(ANSIBLE_PATH, 'lib', 'trellis', 'vagrant') +require File.join(ANSIBLE_PATH, 'lib', 'trellis', 'config') require 'yaml' vconfig = YAML.load_file("#{ANSIBLE_PATH}/vagrant.default.yml") @@ -16,8 +17,7 @@ end ensure_plugins(vconfig.fetch('vagrant_plugins')) if vconfig.fetch('vagrant_install_plugins') -wordpress_sites = load_wordpress_sites -site_hosts = hosts(wordpress_sites) +trellis_config = Trellis::Config.new(root_path: ANSIBLE_PATH) Vagrant.require_version '>= 1.8.5' @@ -34,16 +34,16 @@ Vagrant.configure('2') do |config| # Required for NFS to work config.vm.network :private_network, ip: vconfig.fetch('vagrant_ip'), hostsupdater: 'skip' - main_hostname, *hostnames = site_hosts.map { |host| host['canonical'] } + main_hostname, *hostnames = trellis_config.site_hosts_canonical config.vm.hostname = main_hostname - if Vagrant.has_plugin?('vagrant-hostmanager') && !multisite_subdomains?(wordpress_sites) - redirects = site_hosts.flat_map { |host| host['redirects'] }.compact + if Vagrant.has_plugin?('vagrant-hostmanager') && !trellis_config.multisite_subdomains? + redirects = trellis_config.site_hosts_redirects config.hostmanager.enabled = true config.hostmanager.manage_host = true config.hostmanager.aliases = hostnames + redirects - elsif Vagrant.has_plugin?('landrush') && multisite_subdomains?(wordpress_sites) + elsif Vagrant.has_plugin?('landrush') && trellis_config.multisite_subdomains? config.landrush.enabled = true config.landrush.tld = config.vm.hostname hostnames.each { |host| config.landrush.host host, vconfig.fetch('vagrant_ip') } @@ -54,7 +54,7 @@ Vagrant.configure('2') do |config| bin_path = File.join(ANSIBLE_PATH_ON_VM, 'bin') if Vagrant::Util::Platform.windows? and !Vagrant.has_plugin? 'vagrant-winnfsd' - wordpress_sites.each_pair do |name, site| + trellis_config.wordpress_sites.each_pair do |name, site| config.vm.synced_folder local_site_path(site), remote_site_path(name, site), owner: 'vagrant', group: 'www-data', mount_options: ['dmode=776', 'fmode=775'] end @@ -64,7 +64,7 @@ Vagrant.configure('2') do |config| if !Vagrant.has_plugin? 'vagrant-bindfs' fail_with_message "vagrant-bindfs missing, please install the plugin with this command:\nvagrant plugin install vagrant-bindfs" else - wordpress_sites.each_pair do |name, site| + trellis_config.wordpress_sites.each_pair do |name, site| config.vm.synced_folder local_site_path(site), nfs_path(name), type: 'nfs' config.bindfs.bind_folder nfs_path(name), remote_site_path(name, site), u: 'vagrant', g: 'www-data', o: 'nonempty' end diff --git a/lib/trellis/config.rb b/lib/trellis/config.rb new file mode 100644 index 0000000000..3a8008117d --- /dev/null +++ b/lib/trellis/config.rb @@ -0,0 +1,75 @@ +# frozen_string_literal: true + +require 'vagrant' +require 'yaml' + +module Trellis + class Config + def initialize(root_path:) + @root_path = root_path + end + + def multisite_subdomains? + @using_multisite_subdomains ||= begin + wordpress_sites.any? do |(_name, site)| + site['multisite']&.fetch('enabled', false) && site['multisite']&.fetch('subdomains', false) + end + end + end + + def site_hosts_canonical + @site_hosts_canonical ||= site_hosts.map { |host| host['canonical'] } + end + + def site_hosts_redirects + @site_hosts_redirects ||= site_hosts.flat_map { |host| host['redirects'] }.compact + end + + def site_hosts + @site_hosts ||= begin + wordpress_sites.flat_map { |(_name, site)| site['site_hosts'] }.tap do |hosts| + fail_with message: template_content if malformed?(site_hosts: hosts) + end + end + end + + def wordpress_sites + @wordpress_sites ||= begin + content['wordpress_sites'].tap do |sites| + fail_with message: "No sites found in #{path}." if sites.to_h.empty? + end + end + end + + def content + @content ||= begin + fail_with message: "#{path} was not found. Please check `root_path`." unless exist? + YAML.load_file(path) + end + end + + private + + def malformed?(site_hosts:) + site_hosts.any? do |host| + !host.is_a?(Hash) || !host.key?('canonical') + end + end + + def exist? + File.exist?(path) + end + + def path + File.join(@root_path, 'group_vars', 'development', 'wordpress_sites.yml') + end + + def template_content + File.read(File.join(@root_path, 'roles', 'common', 'templates', 'site_hosts.j2')).sub!('{{ env }}', 'development').gsub!(/com$/, 'dev') + end + + def fail_with(message:) + raise Vagrant::Errors::VagrantError.new, message + end + end +end diff --git a/lib/trellis/vagrant.rb b/lib/trellis/vagrant.rb index bc036b8afd..16cf2f3dd4 100644 --- a/lib/trellis/vagrant.rb +++ b/lib/trellis/vagrant.rb @@ -37,31 +37,6 @@ def fail_with_message(msg) fail Vagrant::Errors::VagrantError.new, msg end -def hosts(sites) - site_hosts = sites.flat_map { |(_name, site)| site['site_hosts'] } - - site_hosts.each do |host| - if !host.is_a?(Hash) || !host.has_key?('canonical') - fail_with_message File.read(File.join(ANSIBLE_PATH, 'roles/common/templates/site_hosts.j2')).sub!('{{ env }}', 'development').gsub!(/com$/, 'dev') - end - end - - site_hosts -end - -def load_wordpress_sites - config_file = File.join(ANSIBLE_PATH, 'group_vars', 'development', 'wordpress_sites.yml') - - if File.exists?(config_file) - wordpress_sites = YAML.load_file(config_file)['wordpress_sites'] - fail_with_message "No sites found in #{config_file}." if wordpress_sites.to_h.empty? - else - fail_with_message "#{config_file} was not found. Please set `ANSIBLE_PATH` in your Vagrantfile." - end - - wordpress_sites -end - def local_provisioning? @local_provisioning ||= Vagrant::Util::Platform.windows? || !which('ansible-playbook') || ENV['FORCE_ANSIBLE_LOCAL'] end @@ -70,12 +45,6 @@ def local_site_path(site) File.expand_path(site['local_path'], ANSIBLE_PATH) end -def multisite_subdomains?(wordpress_sites) - wordpress_sites.any? do |(_name, site)| - site['multisite'].fetch('enabled', false) && site['multisite'].fetch('subdomains', false) - end -end - def nfs_path(path) "/vagrant-nfs-#{File.basename(path)}" end From cff773e07bdeff6a66c382df18e3e9fa68c93219 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Mon, 18 Sep 2017 16:07:16 -0400 Subject: [PATCH 261/292] Fix multisite_subdomains Ruby compat --- lib/trellis/config.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/trellis/config.rb b/lib/trellis/config.rb index 3a8008117d..5dae571c70 100644 --- a/lib/trellis/config.rb +++ b/lib/trellis/config.rb @@ -12,7 +12,8 @@ def initialize(root_path:) def multisite_subdomains? @using_multisite_subdomains ||= begin wordpress_sites.any? do |(_name, site)| - site['multisite']&.fetch('enabled', false) && site['multisite']&.fetch('subdomains', false) + next false unless multisite = site['multisite'] + multisite.fetch('enabled', false) && multisite.fetch('subdomains', false) end end end From fb8acbf4548811ddab04f62845ee0fd1bdd167fe Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Tue, 19 Sep 2017 01:08:40 -0600 Subject: [PATCH 262/292] Deploys: Minimize delay in updating WP theme paths After new release path is symlinked, sites that need WP theme paths updated won't load until updated. This commit shuffles tasks to make the update take place immediately after the symlink change. --- roles/deploy/hooks/finalize-after.yml | 39 ++++++++------------------ roles/deploy/hooks/finalize-before.yml | 19 +++++++++++++ 2 files changed, 30 insertions(+), 28 deletions(-) diff --git a/roles/deploy/hooks/finalize-after.yml b/roles/deploy/hooks/finalize-after.yml index f99be1006e..f731529d5c 100644 --- a/roles/deploy/hooks/finalize-after.yml +++ b/roles/deploy/hooks/finalize-after.yml @@ -1,33 +1,5 @@ --- - block: - - name: Warn about updating network database. - debug: - msg: "Updating the network database could take a long time with a large number of sites." - when: project.update_db_on_deploy | default(update_db_on_deploy) and project.multisite.enabled | default(false) - - - name: Update WP database - command: wp core update-db {{ project.multisite.enabled | default(false) | ternary('--network', '') }} - args: - chdir: "{{ deploy_helper.current_path }}" - when: project.update_db_on_deploy | default(update_db_on_deploy) - - - name: Get WP theme template and stylesheet roots - shell: > - {% if not project.multisite.enabled | default(false) %} - wp option get {{ item }} --skip-plugins --skip-themes - {% else %} - wp site list --field=url | xargs -I {} bash -c 'export url="{}"; echo -n "$url " && wp option get {{ item }} --skip-plugins --skip-themes --url=$url || echo' - {% endif %} - args: - chdir: "{{ deploy_helper.current_path }}" - register: wp_template_root - changed_when: false - failed_when: wp_template_root.stderr != "" - when: update_wp_theme_paths | default(true) | bool - with_items: - - template_root - - stylesheet_root - - name: Update WP theme paths command: > wp option set {{ item[0].option }} @@ -40,6 +12,17 @@ - "[{% for result in wp_template_root.results %}{'option': '{{ result.item }}', 'stdout_lines': {{ result.stdout_lines | select('search', deploy_helper.releases_path) | list }}},{% endfor %}]" - stdout_lines + - name: Warn about updating network database. + debug: + msg: "Updating the network database could take a long time with a large number of sites." + when: project.update_db_on_deploy | default(update_db_on_deploy) and project.multisite.enabled | default(false) + + - name: Update WP database + command: wp core update-db {{ project.multisite.enabled | default(false) | ternary('--network', '') }} + args: + chdir: "{{ deploy_helper.current_path }}" + when: project.update_db_on_deploy | default(update_db_on_deploy) + when: wp_installed | success - name: Reload php-fpm diff --git a/roles/deploy/hooks/finalize-before.yml b/roles/deploy/hooks/finalize-before.yml index 5ab2ac2bf1..6872c9918a 100644 --- a/roles/deploy/hooks/finalize-before.yml +++ b/roles/deploy/hooks/finalize-before.yml @@ -11,3 +11,22 @@ register: wp_installed changed_when: false failed_when: wp_installed.stderr != "" + +- name: Get WP theme template and stylesheet roots + shell: > + {% if not project.multisite.enabled | default(false) %} + wp option get {{ item }} --skip-plugins --skip-themes + {% else %} + wp site list --field=url | xargs -I {} bash -c 'export url="{}"; echo -n "$url " && wp option get {{ item }} --skip-plugins --skip-themes --url=$url || echo' + {% endif %} + args: + chdir: "{{ deploy_helper.current_path }}" + register: wp_template_root + changed_when: false + failed_when: wp_template_root.stderr != "" + when: + - wp_installed | success + - update_wp_theme_paths | default(true) | bool + with_items: + - template_root + - stylesheet_root From 75daba5a241a41ef95aa4b4ce879c058eb1d9df5 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Tue, 19 Sep 2017 01:35:30 -0600 Subject: [PATCH 263/292] Remove WP transient _site_transient_theme_roots during deploys WP options template_root and stylesheet_root will not exist for a site when no theme has been activated explicitly, when a site defaults to a theme like twentyseventeen. In this case, WP consults the _site_transient_theme_roots transient for the path to the theme. This transient contains release paths that do not update on deploy, leading to WSOD due to various instances of "No such file or directory." This commit avoids the problem by removing the transient immediately after the new release path is symlinked. WP auto-regenerates the transient with correct paths. --- roles/deploy/hooks/finalize-after.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/deploy/hooks/finalize-after.yml b/roles/deploy/hooks/finalize-after.yml index f731529d5c..420cbe16d3 100644 --- a/roles/deploy/hooks/finalize-after.yml +++ b/roles/deploy/hooks/finalize-after.yml @@ -1,5 +1,13 @@ --- - block: + - name: Remove WordPress transient containing old release path + shell: "{{ project.multisite.enabled | default(false) | ternary('wp network meta delete 1', 'wp option delete') }} _site_transient_theme_roots ||:" + args: + chdir: "{{ deploy_helper.current_path }}" + register: site_transient_theme_roots + changed_when: site_transient_theme_roots.stdout != '' + when: update_wp_theme_paths | default(true) | bool + - name: Update WP theme paths command: > wp option set {{ item[0].option }} From 416e35750299f20e656ed6d73b9c19f3c4c1c7c9 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Tue, 19 Sep 2017 23:29:24 -0400 Subject: [PATCH 264/292] Default h5bp expires and cache busting to false --- roles/wordpress-setup/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/wordpress-setup/defaults/main.yml b/roles/wordpress-setup/defaults/main.yml index e6bee8ab26..b34865ca89 100644 --- a/roles/wordpress-setup/defaults/main.yml +++ b/roles/wordpress-setup/defaults/main.yml @@ -30,9 +30,9 @@ h5bp_cache_file_descriptors_enabled: "{{ h5bp.cache_file_descriptors | default(n h5bp_extra_security_enabled: "{{ h5bp.extra_security | default(true) }}" h5bp_no_transform_enabled: "{{ h5bp.no_transform | default(false) }}" h5bp_x_ua_compatible_enabled: "{{ h5bp.x_ua_compatible | default(true) }}" -h5bp_cache_busting_enabled: "{{ h5bp.cache_busting | default(not_dev) }}" +h5bp_cache_busting_enabled: "{{ h5bp.cache_busting | default(false) }}" h5bp_cross_domain_fonts_enabled: "{{ h5bp.cross_domain_fonts | default(true) }}" -h5bp_expires_enabled: "{{ h5bp.expires | default(not_dev) }}" +h5bp_expires_enabled: "{{ h5bp.expires | default(false) }}" h5bp_protect_system_files_enabled: "{{ h5bp.protect_system_files | default(true) }}" # PHP FPM From 8a4677c68448b12417e34a720f5277b1d3094a41 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Wed, 20 Sep 2017 09:42:03 -0600 Subject: [PATCH 265/292] CHANGELOG updates --- CHANGELOG.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 85654bda19..79137aa51d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,13 @@ ### HEAD +* Default h5bp expires and cache busting to false ([#894](https://github.com/roots/trellis/pull/894)) +* Deploys: Update WP theme paths for multisite subsites ([#854](https://github.com/roots/trellis/pull/854)) +* Vagrant: Support DHCP ([#892](https://github.com/roots/trellis/pull/892)) +* Extract Trellis::Config ([#890](https://github.com/roots/trellis/pull/890)) +* Redirect directly to https canonical domain ([#889](https://github.com/roots/trellis/pull/889)) +* WordPress Setup: Add Nginx `ssl_client_certificate` ([#869](https://github.com/roots/trellis/pull/869)) +* Update h5bp/server-configs-nginx ([#876](https://github.com/roots/trellis/pull/876)) +* Update ansible galaxy roles ([#872](https://github.com/roots/trellis/pull/872)) +* Update wp-cli to 1.3.0 ([#871](https://github.com/roots/trellis/pull/871)) * Add ansible_local support for non-Windows ([#824](https://github.com/roots/trellis/pull/824)) * Load `modules-enabled` config files in Nginx ([#859](https://github.com/roots/trellis/pull/859)) * Only include \*.conf files in Nginx `sites-enabled/` ([#862](https://github.com/roots/trellis/pull/862)) From d96a58f4e2c31b261c7b03cdf2341d54dd1c6110 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Wed, 20 Sep 2017 00:17:27 -0600 Subject: [PATCH 266/292] Ansible 2.4 compatibility - update `include` to `import_tasks`, `include_tasks` or `import_playbook` - bump Ansible requirement to 2.4 to accommodate `import_*` and `include_*` - add warning for Ansible versions greater than tested with Trellis - adjust `when` conditions: `failed` and `success` no longer account for `rc` - move dynamic HostKeyAlgorithms from `--ssh-extra-args` to `environment` keyword - accommodate potential for multiple inventories (`inventory` list in `cli.options`) - remove `loader` kwarg from VariableManager.get_vars() --- CHANGELOG.md | 1 + deploy.yml | 2 +- lib/trellis/plugins/callback/vars.py | 10 +++++++--- lib/trellis/plugins/filter/filters.py | 2 +- lib/trellis/plugins/vars/version.py | 27 ++++++++++++++++++++------ lib/trellis/utils/output.py | 2 +- roles/common/handlers/main.yml | 4 ++-- roles/connection/tasks/main.yml | 9 +++++---- roles/deploy/hooks/finalize-after.yml | 4 ++-- roles/deploy/hooks/finalize-before.yml | 4 ++-- roles/deploy/tasks/build.yml | 4 ++-- roles/deploy/tasks/finalize.yml | 4 ++-- roles/deploy/tasks/initialize.yml | 4 ++-- roles/deploy/tasks/main.yml | 16 +++++++-------- roles/deploy/tasks/prepare.yml | 4 ++-- roles/deploy/tasks/share.yml | 4 ++-- roles/deploy/tasks/update.yml | 4 ++-- roles/letsencrypt/tasks/main.yml | 6 +++--- roles/letsencrypt/tasks/nginx.yml | 2 +- roles/rollback/tasks/main.yml | 4 ++-- roles/users/tasks/main.yml | 4 ++-- roles/wordpress-install/tasks/main.yml | 2 +- roles/wordpress-setup/tasks/main.yml | 10 +++++----- roles/wordpress-setup/tasks/nginx.yml | 2 +- rollback.yml | 2 +- server.yml | 2 +- vagrant.default.yml | 2 +- 27 files changed, 81 insertions(+), 60 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 79137aa51d..13240be9de 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Ansible 2.4 compatibility ([#895](https://github.com/roots/trellis/pull/895)) * Default h5bp expires and cache busting to false ([#894](https://github.com/roots/trellis/pull/894)) * Deploys: Update WP theme paths for multisite subsites ([#854](https://github.com/roots/trellis/pull/854)) * Vagrant: Support DHCP ([#892](https://github.com/roots/trellis/pull/892)) diff --git a/deploy.yml b/deploy.yml index 4b281b1be0..0962b3e156 100644 --- a/deploy.yml +++ b/deploy.yml @@ -1,5 +1,5 @@ --- -- include: variable-check.yml +- import_playbook: variable-check.yml vars: playbook: deploy.yml diff --git a/lib/trellis/plugins/callback/vars.py b/lib/trellis/plugins/callback/vars.py index c9dadfbd01..42942bdca1 100644 --- a/lib/trellis/plugins/callback/vars.py +++ b/lib/trellis/plugins/callback/vars.py @@ -5,10 +5,11 @@ import sys from __main__ import cli -from ansible.compat.six import iteritems +from ansible.module_utils.six import iteritems from ansible.errors import AnsibleError from ansible.parsing.dataloader import DataLoader from ansible.parsing.yaml.objects import AnsibleMapping, AnsibleSequence, AnsibleUnicode +from ansible.playbook.play_context import PlayContext from ansible.plugins.callback import CallbackBase from ansible.template import Templar @@ -58,7 +59,6 @@ def cli_options(self): strings = { '--connection': 'connection', - '--inventory-file': 'inventory', '--private-key': 'private_key_file', '--ssh-common-args': 'ssh_common_args', '--ssh-extra-args': 'ssh_extra_args', @@ -70,6 +70,9 @@ def cli_options(self): if getattr(self._options, value, False): options.append("{0}='{1}'".format(option, str(getattr(self._options, value)))) + for inventory in getattr(self._options, 'inventory'): + options.append("--inventory='{}'".format(str(inventory))) + if getattr(self._options, 'ask_vault_pass', False): options.append('--ask-vault-pass') @@ -87,8 +90,9 @@ def darwin_without_passlib(self): def v2_playbook_on_play_start(self, play): for host in play.get_variable_manager()._inventory.list_hosts(play.hosts[0]): - hostvars = play.get_variable_manager().get_vars(loader=self.loader, play=play, host=host) + hostvars = play.get_variable_manager().get_vars(play=play, host=host) self.raw_vars(play, host, hostvars) + host.vars['ssh_args_default'] = PlayContext(play=play, options=self._options)._ssh_args.default host.vars['cli_options'] = self.cli_options() host.vars['cli_ask_pass'] = getattr(self._options, 'ask_pass', False) host.vars['cli_ask_become_pass'] = getattr(self._options, 'become_ask_pass', False) diff --git a/lib/trellis/plugins/filter/filters.py b/lib/trellis/plugins/filter/filters.py index 05ad4276ed..6c8eed5eb7 100644 --- a/lib/trellis/plugins/filter/filters.py +++ b/lib/trellis/plugins/filter/filters.py @@ -5,7 +5,7 @@ import types from ansible import errors -from ansible.compat.six import string_types +from ansible.module_utils.six import string_types def to_env(dict_value): envs = ["{0}='{1}'".format(key.upper(), str(value).replace("'","\\'")) for key, value in sorted(dict_value.items())] diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py index bc766f54ce..fd6c7b4d4c 100644 --- a/lib/trellis/plugins/vars/version.py +++ b/lib/trellis/plugins/vars/version.py @@ -5,16 +5,31 @@ from ansible import __version__ from ansible.errors import AnsibleError from distutils.version import LooseVersion -from operator import ge +from operator import ge, gt + +try: + from __main__ import display +except ImportError: + from ansible.utils.display import Display + display = Display() + +version_requirement = '2.4.0.0' +version_tested_max = '2.4.0.0' -version_requirement = '2.2.0.0' if not ge(LooseVersion(__version__), LooseVersion(version_requirement)): raise AnsibleError(('Trellis no longer supports Ansible {}.\n' 'Please upgrade to Ansible {} or higher.').format(__version__, version_requirement)) +elif gt(LooseVersion(__version__), LooseVersion(version_tested_max)): + display.warning(u'You Ansible version is {} but this version of Trellis has only been tested for ' + u'compatability with Ansible {} -> {}. It is advisable to check for Trellis updates or ' + u'downgrade your Ansible version.'.format(__version__, version_requirement, version_tested_max)) + +# Import BaseVarsPlugin after Ansible version check. +# Otherwise import error for Ansible versions older than 2.4 would prevent display of version check message. +from ansible.plugins.vars import BaseVarsPlugin -class VarsModule(object): - ''' Creates and modifies host variables ''' +class VarsModule(BaseVarsPlugin): - def __init__(self, inventory): - pass + def get_vars(self, loader, path, entities, cache=True): + return {} diff --git a/lib/trellis/utils/output.py b/lib/trellis/utils/output.py index 36c872d7fa..7cd54ba5c8 100644 --- a/lib/trellis/utils/output.py +++ b/lib/trellis/utils/output.py @@ -67,7 +67,7 @@ def display(obj, result): display = obj._display.display wrap_width = 77 first = obj.first_host and obj.first_item - failed = 'failed' in result or 'unreachable' in result + failed = result.get('failed', False) or result.get('unreachable', False) # Only display msg if debug module or if failed (some modules have undesired 'msg' on 'ok') if 'msg' in result and (failed or obj.action == 'debug'): diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index bac2a61ba3..cab7d53088 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -1,6 +1,6 @@ --- - name: disable temporary challenge sites - include: disable_challenge_sites.yml + import_tasks: disable_challenge_sites.yml - name: restart memcached service: @@ -12,4 +12,4 @@ name: php7.1-fpm state: reloaded -- include: reload_nginx.yml +- import_tasks: reload_nginx.yml diff --git a/roles/connection/tasks/main.yml b/roles/connection/tasks/main.yml index b550e77c10..92ba31315d 100644 --- a/roles/connection/tasks/main.yml +++ b/roles/connection/tasks/main.yml @@ -12,14 +12,15 @@ register: preferred_host_key_algorithms when: - dynamic_host_key_algorithms | default(true) - - ansible_ssh_extra_args == '' + - ansible_ssh_extra_args | default('') == '' - not (ansible_host_known or ssh_config_host_known) - name: Check whether Ansible can connect as {{ dynamic_user | default(true) | ternary('root', web_user) }} local_action: | - command ansible {{ inventory_hostname }} -m raw -a whoami -u {{ dynamic_user | default(true) | ternary('root', web_user) }} - {{ ('--ssh-extra-args' not in cli_options) | ternary('--ssh-extra-args="' + ansible_ssh_extra_args + '"', '') }} - {{ cli_options | default('') }} -vvvv + command ansible {{ inventory_hostname }} -m raw -a whoami + -u {{ dynamic_user | default(true) | ternary('root', web_user) }} {{ cli_options | default('') }} -vvvv + environment: + ANSIBLE_SSH_ARGS: "{{ ssh_args_default }} {{ ansible_ssh_extra_args | default('') }}" failed_when: false changed_when: false check_mode: no diff --git a/roles/deploy/hooks/finalize-after.yml b/roles/deploy/hooks/finalize-after.yml index 420cbe16d3..d60809d0da 100644 --- a/roles/deploy/hooks/finalize-after.yml +++ b/roles/deploy/hooks/finalize-after.yml @@ -17,7 +17,7 @@ chdir: "{{ deploy_helper.current_path }}" when: update_wp_theme_paths | default(true) | bool with_subelements: - - "[{% for result in wp_template_root.results %}{'option': '{{ result.item }}', 'stdout_lines': {{ result.stdout_lines | select('search', deploy_helper.releases_path) | list }}},{% endfor %}]" + - "[{% for result in wp_template_root.results %}{'option': '{{ result.item }}', 'stdout_lines': {{ result.stdout_lines | default ([]) | select('search', deploy_helper.releases_path) | list }}},{% endfor %}]" - stdout_lines - name: Warn about updating network database. @@ -31,7 +31,7 @@ chdir: "{{ deploy_helper.current_path }}" when: project.update_db_on_deploy | default(update_db_on_deploy) - when: wp_installed | success + when: wp_installed.rc == 0 - name: Reload php-fpm shell: sudo service php7.1-fpm reload diff --git a/roles/deploy/hooks/finalize-before.yml b/roles/deploy/hooks/finalize-before.yml index 6872c9918a..ec40bc9ee2 100644 --- a/roles/deploy/hooks/finalize-before.yml +++ b/roles/deploy/hooks/finalize-before.yml @@ -23,9 +23,9 @@ chdir: "{{ deploy_helper.current_path }}" register: wp_template_root changed_when: false - failed_when: wp_template_root.stderr != "" + failed_when: wp_template_root.stderr | default('') != '' when: - - wp_installed | success + - wp_installed.rc == 0 - update_wp_theme_paths | default(true) | bool with_items: - template_root diff --git a/roles/deploy/tasks/build.yml b/roles/deploy/tasks/build.yml index 7079c69207..c7cf9be7d2 100644 --- a/roles/deploy/tasks/build.yml +++ b/roles/deploy/tasks/build.yml @@ -1,5 +1,5 @@ --- -- include: "{{ include_path }}" +- include_tasks: "{{ include_path }}" with_items: "{{ deploy_build_before | default([]) }}" loop_control: loop_var: include_path @@ -23,7 +23,7 @@ with_items: "{{ project_folder_paths.results }}" when: item.stat.exists -- include: "{{ include_path }}" +- include_tasks: "{{ include_path }}" with_items: "{{ deploy_build_after | default([]) }}" loop_control: loop_var: include_path diff --git a/roles/deploy/tasks/finalize.yml b/roles/deploy/tasks/finalize.yml index e852b316a6..996873919d 100644 --- a/roles/deploy/tasks/finalize.yml +++ b/roles/deploy/tasks/finalize.yml @@ -1,5 +1,5 @@ --- -- include: "{{ include_path }}" +- include_tasks: "{{ include_path }}" with_items: "{{ deploy_finalize_before | default([]) }}" loop_control: loop_var: include_path @@ -12,7 +12,7 @@ release: "{{ deploy_helper.new_release }}" state: finalize -- include: "{{ include_path }}" +- include_tasks: "{{ include_path }}" with_items: "{{ deploy_finalize_after | default([]) }}" loop_control: loop_var: include_path diff --git a/roles/deploy/tasks/initialize.yml b/roles/deploy/tasks/initialize.yml index 253ed088db..a78fefab90 100644 --- a/roles/deploy/tasks/initialize.yml +++ b/roles/deploy/tasks/initialize.yml @@ -1,5 +1,5 @@ --- -- include: "{{ include_path }}" +- include_tasks: "{{ include_path }}" with_items: "{{ deploy_initialize_before | default([]) }}" loop_control: loop_var: include_path @@ -11,7 +11,7 @@ path: "{{ project_root }}" state: present -- include: "{{ include_path }}" +- include_tasks: "{{ include_path }}" with_items: "{{ deploy_initialize_after | default([]) }}" loop_control: loop_var: include_path diff --git a/roles/deploy/tasks/main.yml b/roles/deploy/tasks/main.yml index 579fdc653a..2e6b5c27f7 100644 --- a/roles/deploy/tasks/main.yml +++ b/roles/deploy/tasks/main.yml @@ -1,18 +1,18 @@ --- -- include: "{{ include_path }}" +- include_tasks: "{{ include_path }}" with_items: "{{ deploy_before | default([]) }}" loop_control: loop_var: include_path tags: deploy-before -- include: initialize.yml -- include: update.yml -- include: prepare.yml -- include: build.yml -- include: share.yml -- include: finalize.yml +- import_tasks: initialize.yml +- import_tasks: update.yml +- import_tasks: prepare.yml +- import_tasks: build.yml +- import_tasks: share.yml +- import_tasks: finalize.yml -- include: "{{ include_path }}" +- include_tasks: "{{ include_path }}" with_items: "{{ deploy_after | default([]) }}" loop_control: loop_var: include_path diff --git a/roles/deploy/tasks/prepare.yml b/roles/deploy/tasks/prepare.yml index 1d3e75dd5d..9181b43f51 100644 --- a/roles/deploy/tasks/prepare.yml +++ b/roles/deploy/tasks/prepare.yml @@ -1,5 +1,5 @@ --- -- include: "{{ include_path }}" +- include_tasks: "{{ include_path }}" with_items: "{{ deploy_prepare_before | default([]) }}" loop_control: loop_var: include_path @@ -38,7 +38,7 @@ chdir: "{{ project_source_path }}" when: project.repo_subtree_path is defined -- include: "{{ include_path }}" +- include_tasks: "{{ include_path }}" with_items: "{{ deploy_prepare_after | default([]) }}" loop_control: loop_var: include_path diff --git a/roles/deploy/tasks/share.yml b/roles/deploy/tasks/share.yml index 859834448e..0537a8887f 100644 --- a/roles/deploy/tasks/share.yml +++ b/roles/deploy/tasks/share.yml @@ -1,5 +1,5 @@ --- -- include: "{{ include_path }}" +- include_tasks: "{{ include_path }}" with_items: "{{ deploy_share_before | default([]) }}" loop_control: loop_var: include_path @@ -48,7 +48,7 @@ state: link with_items: "{{ project_shared_children }}" -- include: "{{ include_path }}" +- include_tasks: "{{ include_path }}" with_items: "{{ deploy_share_after | default([]) }}" loop_control: loop_var: include_path diff --git a/roles/deploy/tasks/update.yml b/roles/deploy/tasks/update.yml index c24fedc9c5..1be9bc1ff8 100644 --- a/roles/deploy/tasks/update.yml +++ b/roles/deploy/tasks/update.yml @@ -1,5 +1,5 @@ --- -- include: "{{ include_path }}" +- include_tasks: "{{ include_path }}" with_items: "{{ deploy_update_before | default([]) }}" loop_control: loop_var: include_path @@ -51,7 +51,7 @@ > https://roots.io/trellis/docs/ssh-keys/#cloning-remote-repo-using-ssh-agent-forwarding when: git_clone | failed -- include: "{{ include_path }}" +- include_tasks: "{{ include_path }}" with_items: "{{ deploy_update_after | default([]) }}" loop_control: loop_var: include_path diff --git a/roles/letsencrypt/tasks/main.yml b/roles/letsencrypt/tasks/main.yml index 6c8b46cdd8..27c4b86ac7 100644 --- a/roles/letsencrypt/tasks/main.yml +++ b/roles/letsencrypt/tasks/main.yml @@ -1,7 +1,7 @@ --- -- include: setup.yml -- include: nginx.yml -- include: certificates.yml +- import_tasks: setup.yml +- import_tasks: nginx.yml +- import_tasks: certificates.yml - name: Install cronjob for key generation cron: diff --git a/roles/letsencrypt/tasks/nginx.yml b/roles/letsencrypt/tasks/nginx.yml index 981fb3bce1..298524cc07 100644 --- a/roles/letsencrypt/tasks/nginx.yml +++ b/roles/letsencrypt/tasks/nginx.yml @@ -35,7 +35,7 @@ with_dict: "{{ wordpress_sites }}" notify: disable temporary challenge sites -- include: "{{ playbook_dir }}/roles/common/tasks/reload_nginx.yml" +- import_tasks: "{{ playbook_dir }}/roles/common/tasks/reload_nginx.yml" when: challenge_site_confs | changed or challenge_sites_enabled | changed - name: Create test Acme Challenge file diff --git a/roles/rollback/tasks/main.yml b/roles/rollback/tasks/main.yml index aa78e0db1d..4185f2729b 100644 --- a/roles/rollback/tasks/main.yml +++ b/roles/rollback/tasks/main.yml @@ -1,8 +1,8 @@ --- -- include: user-release.yml +- import_tasks: user-release.yml when: release is defined -- include: prior-release.yml +- import_tasks: prior-release.yml when: release is not defined - name: Check whether target release was from a successful deploy diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml index 84e27667f8..e1487bc5c6 100644 --- a/roles/users/tasks/main.yml +++ b/roles/users/tasks/main.yml @@ -66,6 +66,6 @@ when: (ansible_user != admin_user and not sshd_permit_root_login) or (cli_ask_pass and not sshd_password_authentication) tags: [connection-tests, sshd] -- include: connection-warnings.yml - when: admin_user_status | failed +- import_tasks: connection-warnings.yml + when: not admin_user_status | skipped and admin_user_status.rc != 0 tags: [connection-tests, sshd] diff --git a/roles/wordpress-install/tasks/main.yml b/roles/wordpress-install/tasks/main.yml index 5545d5fbb7..27e3458985 100644 --- a/roles/wordpress-install/tasks/main.yml +++ b/roles/wordpress-install/tasks/main.yml @@ -1,5 +1,5 @@ --- -- include: directories.yml +- import_tasks: directories.yml tags: wordpress-install-directories - name: Create .env file diff --git a/roles/wordpress-setup/tasks/main.yml b/roles/wordpress-setup/tasks/main.yml index 0e5c9f1c0b..732d95e383 100644 --- a/roles/wordpress-setup/tasks/main.yml +++ b/roles/wordpress-setup/tasks/main.yml @@ -1,9 +1,9 @@ --- -- include: database.yml +- import_tasks: database.yml tags: wordpress-setup-database -- include: self-signed-certificate.yml +- import_tasks: self-signed-certificate.yml tags: wordpress-setup-self-signed-certificate -- include: nginx-client-cert.yml +- import_tasks: nginx-client-cert.yml tags: wordpress-setup-nginx-client-cert - name: Create web root @@ -36,10 +36,10 @@ when: disable_default_pool | default(true) notify: reload php-fpm -- include: nginx-includes.yml +- import_tasks: nginx-includes.yml tags: [nginx-includes, wordpress-setup-nginx] -- include: nginx.yml +- import_tasks: nginx.yml tags: wordpress-setup-nginx - name: Setup WP system cron diff --git a/roles/wordpress-setup/tasks/nginx.yml b/roles/wordpress-setup/tasks/nginx.yml index b55abd569e..e2d9b58cc8 100644 --- a/roles/wordpress-setup/tasks/nginx.yml +++ b/roles/wordpress-setup/tasks/nginx.yml @@ -17,7 +17,7 @@ when: ssl_enabled and item.value.ssl.key is defined notify: reload nginx -- include: "{{ playbook_dir }}/roles/common/tasks/disable_challenge_sites.yml" +- import_tasks: "{{ playbook_dir }}/roles/common/tasks/disable_challenge_sites.yml" - name: Create Nginx conf for challenges location template: diff --git a/rollback.yml b/rollback.yml index a74b318f0e..f3e0405a92 100644 --- a/rollback.yml +++ b/rollback.yml @@ -1,5 +1,5 @@ --- -- include: variable-check.yml +- import_playbook: variable-check.yml vars: playbook: rollback.yml diff --git a/server.yml b/server.yml index 8a67461667..bd181f1f96 100644 --- a/server.yml +++ b/server.yml @@ -1,5 +1,5 @@ --- -- include: variable-check.yml +- import_playbook: variable-check.yml vars: playbook: server.yml diff --git a/vagrant.default.yml b/vagrant.default.yml index b5ebedfc33..53a06b2716 100644 --- a/vagrant.default.yml +++ b/vagrant.default.yml @@ -4,7 +4,7 @@ vagrant_cpus: 1 vagrant_memory: 1024 # in MB vagrant_box: 'bento/ubuntu-16.04' vagrant_box_version: '<= 2.3.8' -vagrant_ansible_version: '2.3.0' +vagrant_ansible_version: '2.4.0' vagrant_skip_galaxy: false vagrant_install_plugins: true From 6c78ebce628e029628b1e12473dea2cee8d78426 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Sat, 16 Sep 2017 18:10:43 +0800 Subject: [PATCH 267/292] Normalize `apt` tasks and check package variables format --- CHANGELOG.md | 1 + group_vars/all/main.yml | 3 ++ roles/common/defaults/main.yml | 20 +++++----- roles/common/tasks/main.yml | 38 +++++++++++++++++-- .../package_vars_wrong_format_msg.j2 | 4 ++ roles/fail2ban/tasks/main.yml | 6 +-- roles/ferm/tasks/main.yml | 6 +-- roles/mariadb/tasks/main.yml | 8 ++-- roles/memcached/defaults/main.yml | 7 ++++ roles/memcached/tasks/main.yml | 8 ++-- roles/nginx/tasks/main.yml | 5 ++- roles/php/defaults/main.yml | 30 +++++++-------- roles/php/tasks/main.yml | 9 +++-- roles/sshd/defaults/main.yml | 7 ++++ roles/sshd/tasks/main.yml | 10 ++--- roles/ssmtp/tasks/main.yml | 4 +- roles/xdebug/tasks/main.yml | 4 +- 17 files changed, 111 insertions(+), 59 deletions(-) create mode 100644 roles/common/templates/package_vars_wrong_format_msg.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index 13240be9de..578361c15e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* [BREAKING] Normalize `apt` tasks ([#881](https://github.com/roots/trellis/pull/881)) * Ansible 2.4 compatibility ([#895](https://github.com/roots/trellis/pull/895)) * Default h5bp expires and cache busting to false ([#894](https://github.com/roots/trellis/pull/894)) * Deploys: Update WP theme paths for multisite subsites ([#854](https://github.com/roots/trellis/pull/854)) diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml index bcc0f88483..68ef57b68e 100644 --- a/group_vars/all/main.yml +++ b/group_vars/all/main.yml @@ -2,6 +2,9 @@ composer_keep_updated: true composer_global_packages: - { name: hirak/prestissimo } apt_cache_valid_time: 3600 +apt_package_state: present +apt_security_package_state: latest +apt_dev_package_state: latest ntp_timezone: Etc/UTC ntp_manage_config: true www_root: /srv/www diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index 2a6d4a1f4f..3ec83ee973 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -1,17 +1,17 @@ ntp_timezone: Etc/UTC apt_packages_default: - - python-software-properties - - python-pycurl - - build-essential - - python-mysqldb - - curl - - git-core - - dbus - - libnss-myhostname + python-software-properties: "{{ apt_package_state }}" + python-pycurl: "{{ apt_package_state }}" + build-essential: "{{ apt_package_state }}" + python-mysqldb: "{{ apt_package_state }}" + curl: "{{ apt_package_state }}" + git-core: "{{ apt_package_state }}" + dbus: "{{ apt_package_state }}" + libnss-myhostname: "{{ apt_package_state }}" -apt_packages_custom: [] -apt_packages: "{{ apt_packages_default + apt_packages_custom }}" +apt_packages_custom: {} +apt_packages: "{{ apt_packages_default | combine(apt_packages_custom) }}" openssh_6_8_plus: "{{ (lookup('pipe', 'ssh -V 2>&1')) | regex_replace('(.*OpenSSH_([\\d\\.]*).*)', '\\2') | version_compare('6.8', '>=') }}" overlapping_ciphers: "[{% for cipher in (sshd_ciphers_default + sshd_ciphers_extra) if cipher in ssh_client_ciphers %}'{{ cipher }}',{% endfor %}]" diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index f6a59531b8..072414cf12 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -12,6 +12,36 @@ when: item.value.site_hosts | rejectattr('canonical', 'defined') | list | count tags: [letsencrypt, wordpress] +- name: Verify dict format for apt package component variables + fail: + msg: "{{ lookup('template', 'package_vars_wrong_format_msg.j2') }}" + when: package_vars_wrong_format | count + vars: + package_vars: + apt_packages_default: "{{ apt_packages_default }}" + apt_packages_custom: "{{ apt_packages_custom }}" + memcached_packages_default: "{{ memcached_packages_default }}" + memcached_packages_custom: "{{ memcached_packages_custom }}" + php_extensions_default: "{{ php_extensions_default }}" + php_extensions_custom: "{{ php_extensions_custom }}" + sshd_packages_default: "{{ sshd_packages_default }}" + sshd_packages_custom: "{{ sshd_packages_custom }}" + package_vars_wrong_format: "[{% for k,v in package_vars.iteritems() if v | type_debug != 'dict' %}'{{ k }}',{% endfor %}]" + tags: [sshd, memcached, php] + +- name: Verify dict format for apt package combined variables + fail: + msg: "{{ lookup('template', 'package_vars_wrong_format_msg.j2') }}" + when: package_vars_wrong_format | count + vars: + package_vars: + apt_packages: "{{ apt_packages }}" + memcached_packages: "{{ memcached_packages }}" + php_extensions: "{{ php_extensions }}" + sshd_packages: "{{ sshd_packages }}" + package_vars_wrong_format: "[{% for k,v in package_vars.iteritems() if v | type_debug != 'dict' %}'{{ k }}',{% endfor %}]" + tags: [sshd, memcached, php] + - name: Validate Ubuntu version debug: msg: | @@ -61,11 +91,11 @@ - name: Checking essentials apt: - name: "{{ item }}" - state: present - update_cache: true + name: "{{ item.key }}" + state: "{{ item.value }}" + update_cache: yes cache_valid_time: "{{ apt_cache_valid_time }}" - with_items: "{{ apt_packages }}" + with_dict: "{{ apt_packages }}" - name: Validate timezone variable stat: diff --git a/roles/common/templates/package_vars_wrong_format_msg.j2 b/roles/common/templates/package_vars_wrong_format_msg.j2 new file mode 100644 index 0000000000..196368b904 --- /dev/null +++ b/roles/common/templates/package_vars_wrong_format_msg.j2 @@ -0,0 +1,4 @@ +The following variables must be formatted as dicts: + {{ package_vars_wrong_format | to_nice_yaml | indent(2) }} + +See: https://github.com/roots/trellis/pull/881 diff --git a/roles/fail2ban/tasks/main.yml b/roles/fail2ban/tasks/main.yml index 3af663a73e..36a66609a7 100644 --- a/roles/fail2ban/tasks/main.yml +++ b/roles/fail2ban/tasks/main.yml @@ -1,9 +1,9 @@ --- - name: ensure fail2ban is installed apt: - pkg: fail2ban - state: latest - update_cache: true + name: fail2ban + state: "{{ fail2ban_package_state | default(apt_security_package_state) }}" + update_cache: yes cache_valid_time: "{{ apt_cache_valid_time }}" notify: - restart fail2ban diff --git a/roles/ferm/tasks/main.yml b/roles/ferm/tasks/main.yml index b5d691868b..a84357dc08 100644 --- a/roles/ferm/tasks/main.yml +++ b/roles/ferm/tasks/main.yml @@ -8,9 +8,9 @@ - name: ensure ferm is installed apt: - pkg: ferm - state: latest - update_cache: true + name: ferm + state: "{{ ferm_package_state | default(apt_security_package_state) }}" + update_cache: yes cache_valid_time: "{{ apt_cache_valid_time }}" install_recommends: no notify: diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index 5e998fde95..c19e9e4472 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -2,15 +2,17 @@ - name: Install MySQL client apt: name: mariadb-client - state: present - update_cache: true + state: "{{ mariadb_client_package_state | default(apt_package_state) }}" + update_cache: yes cache_valid_time: "{{ apt_cache_valid_time }}" - block: - name: Install MySQL server apt: name: mariadb-server - state: present + state: "{{ mariadb_server_package_state | default(apt_package_state) }}" + update_cache: yes + cache_valid_time: "{{ apt_cache_valid_time }}" - name: Disable MariaDB binary logging template: diff --git a/roles/memcached/defaults/main.yml b/roles/memcached/defaults/main.yml index f5baaece22..11403dc688 100644 --- a/roles/memcached/defaults/main.yml +++ b/roles/memcached/defaults/main.yml @@ -4,3 +4,10 @@ memcached_fs_file_max: 756024 memcached_listen_ip: 127.0.0.1 memcached_max_conn: 1024 memcached_port: 11211 + +memcached_packages_default: + memcached: "{{ apt_package_state }}" + php-memcached: "{{ apt_package_state }}" + +memcached_packages_custom: {} +memcached_packages: "{{ memcached_packages_default | combine(memcached_packages_custom) }}" diff --git a/roles/memcached/tasks/main.yml b/roles/memcached/tasks/main.yml index 2e2c5dff41..398866d5aa 100644 --- a/roles/memcached/tasks/main.yml +++ b/roles/memcached/tasks/main.yml @@ -1,13 +1,11 @@ --- - name: Install memcached apt: - name: "{{ item }}" - state: present + name: "{{ item.key }}" + state: "{{ item.value }}" update_cache: yes cache_valid_time: "{{ apt_cache_valid_time }}" - with_items: - - memcached - - php-memcached + with_dict: "{{ memcached_packages }}" - name: Copy the client configuration file template: diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index b042455fa0..83a3cff231 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -7,8 +7,9 @@ - name: Install Nginx apt: name: "{{ nginx_package }}" - state: present - force: yes + state: "{{ nginx_package_state | default(apt_package_state) }}" + update_cache: yes + cache_valid_time: "{{ apt_cache_valid_time }}" - name: Create SSL directory file: diff --git a/roles/php/defaults/main.yml b/roles/php/defaults/main.yml index 518b6491b1..129bb128f5 100644 --- a/roles/php/defaults/main.yml +++ b/roles/php/defaults/main.yml @@ -2,22 +2,22 @@ disable_default_pool: true memcached_sessions: false php_extensions_default: - - php7.1-cli - - php7.1-common - - php7.1-curl - - php7.1-dev - - php7.1-fpm - - php7.1-gd - - php7.1-mbstring - - php7.1-mcrypt - - php7.1-mysql - - php7.1-opcache - - php7.1-xml - - php7.1-xmlrpc - - php7.1-zip + php7.1-cli: "{{ apt_package_state }}" + php7.1-common: "{{ apt_package_state }}" + php7.1-curl: "{{ apt_package_state }}" + php7.1-dev: "{{ apt_package_state }}" + php7.1-fpm: "{{ apt_package_state }}" + php7.1-gd: "{{ apt_package_state }}" + php7.1-mbstring: "{{ apt_package_state }}" + php7.1-mcrypt: "{{ apt_package_state }}" + php7.1-mysql: "{{ apt_package_state }}" + php7.1-opcache: "{{ apt_package_state }}" + php7.1-xml: "{{ apt_package_state }}" + php7.1-xmlrpc: "{{ apt_package_state }}" + php7.1-zip: "{{ apt_package_state }}" -php_extensions_custom: [] -php_extensions: "{{ php_extensions_default + php_extensions_custom }}" +php_extensions_custom: {} +php_extensions: "{{ php_extensions_default | combine(php_extensions_custom) }}" php_error_reporting: 'E_ALL & ~E_DEPRECATED & ~E_STRICT' php_display_errors: 'Off' diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml index c88a1f10a2..0fe9f57f2d 100644 --- a/roles/php/tasks/main.yml +++ b/roles/php/tasks/main.yml @@ -6,10 +6,11 @@ - name: Install PHP 7.1 apt: - name: "{{ item }}" - state: present - force: yes - with_items: "{{ php_extensions }}" + name: "{{ item.key }}" + state: "{{ item.value }}" + update_cache: yes + cache_valid_time: "{{ apt_cache_valid_time }}" + with_dict: "{{ php_extensions }}" - name: Start php7.1-fpm service service: diff --git a/roles/sshd/defaults/main.yml b/roles/sshd/defaults/main.yml index 205420642a..deedd28e00 100644 --- a/roles/sshd/defaults/main.yml +++ b/roles/sshd/defaults/main.yml @@ -90,3 +90,10 @@ ssh_send_env: [] ssh_strict_host_key_checking: ask ssh_use_roaming: false + +sshd_packages_default: + openssh-server: "{{ apt_security_package_state }}" + openssh-client: "{{ apt_security_package_state }}" + +sshd_packages_custom: {} +sshd_packages: "{{ sshd_packages_default | combine(sshd_packages_custom) }}" diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml index 3fa0bcb6c8..985ccff86c 100644 --- a/roles/sshd/tasks/main.yml +++ b/roles/sshd/tasks/main.yml @@ -1,13 +1,11 @@ --- - name: Ensure latest SSH server and client are installed apt: - pkg: "{{ item }}" - state: latest - update_cache: true + name: "{{ item.key }}" + state: "{{ item.value }}" + update_cache: yes cache_valid_time: "{{ apt_cache_valid_time }}" - with_items: - - openssh-server - - openssh-client + with_dict: "{{ sshd_packages }}" notify: restart ssh - name: Create a secure sshd_config diff --git a/roles/ssmtp/tasks/main.yml b/roles/ssmtp/tasks/main.yml index 140402f1cf..0de14ea431 100644 --- a/roles/ssmtp/tasks/main.yml +++ b/roles/ssmtp/tasks/main.yml @@ -2,8 +2,8 @@ - name: Install ssmtp apt: name: ssmtp - state: present - update_cache: true + state: "{{ ssmtp_package_state | default(apt_package_state) }}" + update_cache: yes cache_valid_time: "{{ apt_cache_valid_time }}" - name: ssmtp configuration diff --git a/roles/xdebug/tasks/main.yml b/roles/xdebug/tasks/main.yml index 00fc2290a3..4351c026eb 100644 --- a/roles/xdebug/tasks/main.yml +++ b/roles/xdebug/tasks/main.yml @@ -3,8 +3,8 @@ - name: Install Xdebug apt: name: php-xdebug - state: latest - update_cache: true + state: "{{ php_xdebug_package_state | default(apt_dev_package_state) }}" + update_cache: yes cache_valid_time: "{{ apt_cache_valid_time }}" - name: Template the Xdebug configuration file From 38e03fb708dd3cc7bc430c2cf37d3922076283d1 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Sun, 1 Oct 2017 11:04:39 +0800 Subject: [PATCH 268/292] Remove `update_cache` parameter from `apt` tasks Ansible 2.4 implicitly sets `update_cache` when `cache_valid_time` is defined. --- roles/common/tasks/main.yml | 1 - roles/fail2ban/tasks/main.yml | 1 - roles/ferm/tasks/main.yml | 1 - roles/mariadb/tasks/main.yml | 2 -- roles/memcached/tasks/main.yml | 1 - roles/nginx/tasks/main.yml | 1 - roles/php/tasks/main.yml | 1 - roles/sshd/tasks/main.yml | 1 - roles/ssmtp/tasks/main.yml | 1 - roles/xdebug/tasks/main.yml | 1 - 10 files changed, 11 deletions(-) diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 072414cf12..0c675079c6 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -93,7 +93,6 @@ apt: name: "{{ item.key }}" state: "{{ item.value }}" - update_cache: yes cache_valid_time: "{{ apt_cache_valid_time }}" with_dict: "{{ apt_packages }}" diff --git a/roles/fail2ban/tasks/main.yml b/roles/fail2ban/tasks/main.yml index 36a66609a7..e2d9125d0d 100644 --- a/roles/fail2ban/tasks/main.yml +++ b/roles/fail2ban/tasks/main.yml @@ -3,7 +3,6 @@ apt: name: fail2ban state: "{{ fail2ban_package_state | default(apt_security_package_state) }}" - update_cache: yes cache_valid_time: "{{ apt_cache_valid_time }}" notify: - restart fail2ban diff --git a/roles/ferm/tasks/main.yml b/roles/ferm/tasks/main.yml index a84357dc08..9ceca90cab 100644 --- a/roles/ferm/tasks/main.yml +++ b/roles/ferm/tasks/main.yml @@ -10,7 +10,6 @@ apt: name: ferm state: "{{ ferm_package_state | default(apt_security_package_state) }}" - update_cache: yes cache_valid_time: "{{ apt_cache_valid_time }}" install_recommends: no notify: diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index c19e9e4472..558ead5414 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -3,7 +3,6 @@ apt: name: mariadb-client state: "{{ mariadb_client_package_state | default(apt_package_state) }}" - update_cache: yes cache_valid_time: "{{ apt_cache_valid_time }}" - block: @@ -11,7 +10,6 @@ apt: name: mariadb-server state: "{{ mariadb_server_package_state | default(apt_package_state) }}" - update_cache: yes cache_valid_time: "{{ apt_cache_valid_time }}" - name: Disable MariaDB binary logging diff --git a/roles/memcached/tasks/main.yml b/roles/memcached/tasks/main.yml index 398866d5aa..dc62343926 100644 --- a/roles/memcached/tasks/main.yml +++ b/roles/memcached/tasks/main.yml @@ -3,7 +3,6 @@ apt: name: "{{ item.key }}" state: "{{ item.value }}" - update_cache: yes cache_valid_time: "{{ apt_cache_valid_time }}" with_dict: "{{ memcached_packages }}" diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 83a3cff231..bb229149a3 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -8,7 +8,6 @@ apt: name: "{{ nginx_package }}" state: "{{ nginx_package_state | default(apt_package_state) }}" - update_cache: yes cache_valid_time: "{{ apt_cache_valid_time }}" - name: Create SSL directory diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml index 0fe9f57f2d..c0c14d9794 100644 --- a/roles/php/tasks/main.yml +++ b/roles/php/tasks/main.yml @@ -8,7 +8,6 @@ apt: name: "{{ item.key }}" state: "{{ item.value }}" - update_cache: yes cache_valid_time: "{{ apt_cache_valid_time }}" with_dict: "{{ php_extensions }}" diff --git a/roles/sshd/tasks/main.yml b/roles/sshd/tasks/main.yml index 985ccff86c..acabc23938 100644 --- a/roles/sshd/tasks/main.yml +++ b/roles/sshd/tasks/main.yml @@ -3,7 +3,6 @@ apt: name: "{{ item.key }}" state: "{{ item.value }}" - update_cache: yes cache_valid_time: "{{ apt_cache_valid_time }}" with_dict: "{{ sshd_packages }}" notify: restart ssh diff --git a/roles/ssmtp/tasks/main.yml b/roles/ssmtp/tasks/main.yml index 0de14ea431..9499fd5d8a 100644 --- a/roles/ssmtp/tasks/main.yml +++ b/roles/ssmtp/tasks/main.yml @@ -3,7 +3,6 @@ apt: name: ssmtp state: "{{ ssmtp_package_state | default(apt_package_state) }}" - update_cache: yes cache_valid_time: "{{ apt_cache_valid_time }}" - name: ssmtp configuration diff --git a/roles/xdebug/tasks/main.yml b/roles/xdebug/tasks/main.yml index 4351c026eb..d55c8745dd 100644 --- a/roles/xdebug/tasks/main.yml +++ b/roles/xdebug/tasks/main.yml @@ -4,7 +4,6 @@ apt: name: php-xdebug state: "{{ php_xdebug_package_state | default(apt_dev_package_state) }}" - update_cache: yes cache_valid_time: "{{ apt_cache_valid_time }}" - name: Template the Xdebug configuration file From ed2f00026241248eedf75fc168c0cb6f55e1d699 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Sun, 1 Oct 2017 11:12:35 +0800 Subject: [PATCH 269/292] Extract package names from `apt` tasks into variables --- roles/fail2ban/defaults/main.yml | 2 ++ roles/fail2ban/tasks/main.yml | 2 +- roles/ferm/defaults/main.yml | 2 ++ roles/ferm/tasks/main.yml | 2 +- roles/mariadb/defaults/main.yml | 3 +++ roles/mariadb/tasks/main.yml | 4 ++-- roles/ssmtp/defaults/main.yml | 1 + roles/ssmtp/tasks/main.yml | 2 +- roles/xdebug/defaults/main.yml | 2 ++ roles/xdebug/tasks/main.yml | 2 +- 10 files changed, 16 insertions(+), 6 deletions(-) diff --git a/roles/fail2ban/defaults/main.yml b/roles/fail2ban/defaults/main.yml index e75e2b194d..473ae8a0d5 100644 --- a/roles/fail2ban/defaults/main.yml +++ b/roles/fail2ban/defaults/main.yml @@ -1,4 +1,6 @@ --- +fail2ban_package: fail2ban + fail2ban_loglevel: INFO fail2ban_logtarget: /var/log/fail2ban.log fail2ban_socket: /var/run/fail2ban/fail2ban.sock diff --git a/roles/fail2ban/tasks/main.yml b/roles/fail2ban/tasks/main.yml index e2d9125d0d..dcc6adc5ab 100644 --- a/roles/fail2ban/tasks/main.yml +++ b/roles/fail2ban/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: ensure fail2ban is installed apt: - name: fail2ban + name: "{{ fail2ban_package }}" state: "{{ fail2ban_package_state | default(apt_security_package_state) }}" cache_valid_time: "{{ apt_cache_valid_time }}" notify: diff --git a/roles/ferm/defaults/main.yml b/roles/ferm/defaults/main.yml index edda2d9a98..17f623b5d0 100644 --- a/roles/ferm/defaults/main.yml +++ b/roles/ferm/defaults/main.yml @@ -1,4 +1,6 @@ --- +ferm_package: ferm + ferm_enabled: true ferm_limit_portscans: false diff --git a/roles/ferm/tasks/main.yml b/roles/ferm/tasks/main.yml index 9ceca90cab..63b0b0a4d0 100644 --- a/roles/ferm/tasks/main.yml +++ b/roles/ferm/tasks/main.yml @@ -8,7 +8,7 @@ - name: ensure ferm is installed apt: - name: ferm + name: "{{ ferm_package }}" state: "{{ ferm_package_state | default(apt_security_package_state) }}" cache_valid_time: "{{ apt_cache_valid_time }}" install_recommends: no diff --git a/roles/mariadb/defaults/main.yml b/roles/mariadb/defaults/main.yml index 95ad282f0c..9bbea9848e 100644 --- a/roles/mariadb/defaults/main.yml +++ b/roles/mariadb/defaults/main.yml @@ -1,3 +1,6 @@ +mariadb_client_package: mariadb-client +mariadb_server_package: mariadb-server + mysql_binary_logging_disabled: true mysql_root_user: root diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index 558ead5414..84c8c45788 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -1,14 +1,14 @@ --- - name: Install MySQL client apt: - name: mariadb-client + name: "{{ mariadb_client_package }}" state: "{{ mariadb_client_package_state | default(apt_package_state) }}" cache_valid_time: "{{ apt_cache_valid_time }}" - block: - name: Install MySQL server apt: - name: mariadb-server + name: "{{ mariadb_server_package }}" state: "{{ mariadb_server_package_state | default(apt_package_state) }}" cache_valid_time: "{{ apt_cache_valid_time }}" diff --git a/roles/ssmtp/defaults/main.yml b/roles/ssmtp/defaults/main.yml index d373337628..2c684dbacf 100644 --- a/roles/ssmtp/defaults/main.yml +++ b/roles/ssmtp/defaults/main.yml @@ -1,3 +1,4 @@ +ssmtp_package: ssmtp ssmtp_auth_method: LOGIN ssmtp_from_override: 'Yes' ssmtp_start_tls: 'Yes' diff --git a/roles/ssmtp/tasks/main.yml b/roles/ssmtp/tasks/main.yml index 9499fd5d8a..910451621a 100644 --- a/roles/ssmtp/tasks/main.yml +++ b/roles/ssmtp/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: Install ssmtp apt: - name: ssmtp + name: "{{ ssmtp_package }}" state: "{{ ssmtp_package_state | default(apt_package_state) }}" cache_valid_time: "{{ apt_cache_valid_time }}" diff --git a/roles/xdebug/defaults/main.yml b/roles/xdebug/defaults/main.yml index 334b958b8c..b210759a30 100644 --- a/roles/xdebug/defaults/main.yml +++ b/roles/xdebug/defaults/main.yml @@ -1,3 +1,5 @@ +php_xdebug_package: php-xdebug + # XDebug Remote Debugging xdebug_remote_enable: 0 xdebug_remote_connect_back: 0 diff --git a/roles/xdebug/tasks/main.yml b/roles/xdebug/tasks/main.yml index d55c8745dd..1a3061426c 100644 --- a/roles/xdebug/tasks/main.yml +++ b/roles/xdebug/tasks/main.yml @@ -2,7 +2,7 @@ - block: - name: Install Xdebug apt: - name: php-xdebug + name: "{{ php_xdebug_package }}" state: "{{ php_xdebug_package_state | default(apt_dev_package_state) }}" cache_valid_time: "{{ apt_cache_valid_time }}" From 950fd7e637d50a052dc9b79908fc2540e27bf5c5 Mon Sep 17 00:00:00 2001 From: Tang Rufus Date: Mon, 25 Sep 2017 07:42:35 +0800 Subject: [PATCH 270/292] Vagrant: Use DHCP by default --- CHANGELOG.md | 1 + vagrant.default.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 578361c15e..9b091aacbd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Vagrant: Use DHCP by default ([#898](https://github.com/roots/trellis/pull/898)) * [BREAKING] Normalize `apt` tasks ([#881](https://github.com/roots/trellis/pull/881)) * Ansible 2.4 compatibility ([#895](https://github.com/roots/trellis/pull/895)) * Default h5bp expires and cache busting to false ([#894](https://github.com/roots/trellis/pull/894)) diff --git a/vagrant.default.yml b/vagrant.default.yml index 53a06b2716..af3ba97089 100644 --- a/vagrant.default.yml +++ b/vagrant.default.yml @@ -1,5 +1,5 @@ --- -vagrant_ip: '192.168.50.5' +vagrant_ip: dhcp vagrant_cpus: 1 vagrant_memory: 1024 # in MB vagrant_box: 'bento/ubuntu-16.04' From a70566dcbef1b34057599cec6233abe261767143 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Wed, 4 Oct 2017 20:01:43 -0400 Subject: [PATCH 271/292] Revert "Vagrant: Use DHCP by default" --- CHANGELOG.md | 1 - vagrant.default.yml | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9b091aacbd..578361c15e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,4 @@ ### HEAD -* Vagrant: Use DHCP by default ([#898](https://github.com/roots/trellis/pull/898)) * [BREAKING] Normalize `apt` tasks ([#881](https://github.com/roots/trellis/pull/881)) * Ansible 2.4 compatibility ([#895](https://github.com/roots/trellis/pull/895)) * Default h5bp expires and cache busting to false ([#894](https://github.com/roots/trellis/pull/894)) diff --git a/vagrant.default.yml b/vagrant.default.yml index af3ba97089..53a06b2716 100644 --- a/vagrant.default.yml +++ b/vagrant.default.yml @@ -1,5 +1,5 @@ --- -vagrant_ip: dhcp +vagrant_ip: '192.168.50.5' vagrant_cpus: 1 vagrant_memory: 1024 # in MB vagrant_box: 'bento/ubuntu-16.04' From d603d4540d15e7684f854863f0d0d8bfe4b47639 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Sun, 8 Oct 2017 12:37:23 -0600 Subject: [PATCH 272/292] Update placeholder deploy_build_before hook example [ci skip] --- deploy-hooks/build-before.yml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/deploy-hooks/build-before.yml b/deploy-hooks/build-before.yml index 44cce03693..6c483c3f75 100644 --- a/deploy-hooks/build-before.yml +++ b/deploy-hooks/build-before.yml @@ -1,11 +1,14 @@ -# Placeholder `deploy_build_before` hook for building theme assets locally -# and then copying the files to the remote server +# Placeholder `deploy_build_before` hook for building theme assets on the +# host machine and then copying the files to the remote server +# +# ⚠️ This example assumes your theme is using Sage 9 +# An example for themes built with Sage 8 can be found at: https://git.io/vdgUt # # Uncomment the lines below and replace `sage` with your theme folder # # --- -# - name: Run yarn install -# command: yarn install +# - name: Install npm dependencies +# command: yarn # connection: local # args: # chdir: "{{ project_local_path }}/web/app/themes/sage" @@ -21,7 +24,7 @@ # args: # chdir: "{{ project_local_path }}/web/app/themes/sage" # -# - name: Copy project local files +# - name: Copy production assets # synchronize: # src: "{{ project_local_path }}/web/app/themes/sage/dist" # dest: "{{ deploy_helper.new_release_path }}/web/app/themes/sage" From 0e9e1c51b348a9856186238775341a7b440abf85 Mon Sep 17 00:00:00 2001 From: Ned Zimmerman Date: Tue, 17 Oct 2017 11:05:12 -0300 Subject: [PATCH 273/292] Update wp-cli to 1.4.0. --- CHANGELOG.md | 1 + roles/wp-cli/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 578361c15e..93d73c902f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Update wp-cli to 1.4.0 ([#906](https://github.com/roots/trellis/pull/906)) * [BREAKING] Normalize `apt` tasks ([#881](https://github.com/roots/trellis/pull/881)) * Ansible 2.4 compatibility ([#895](https://github.com/roots/trellis/pull/895)) * Default h5bp expires and cache busting to false ([#894](https://github.com/roots/trellis/pull/894)) diff --git a/roles/wp-cli/defaults/main.yml b/roles/wp-cli/defaults/main.yml index 8d70ab8527..12217328ac 100644 --- a/roles/wp-cli/defaults/main.yml +++ b/roles/wp-cli/defaults/main.yml @@ -1,4 +1,4 @@ -wp_cli_version: 1.3.0 +wp_cli_version: 1.4.0 wp_cli_bin_path: /usr/bin/wp wp_cli_phar_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar" wp_cli_completion_url: "https://raw.githubusercontent.com/wp-cli/wp-cli/v{{ wp_cli_version }}/utils/wp-completion.bash" From fb039a193f51cadf607d1badbc09078efa199f63 Mon Sep 17 00:00:00 2001 From: Ned Zimmerman Date: Tue, 17 Oct 2017 14:57:59 -0300 Subject: [PATCH 274/292] Clarify DB task name. --- roles/wordpress-setup/tasks/database.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/wordpress-setup/tasks/database.yml b/roles/wordpress-setup/tasks/database.yml index bde2f14f30..61c74a5475 100644 --- a/roles/wordpress-setup/tasks/database.yml +++ b/roles/wordpress-setup/tasks/database.yml @@ -1,6 +1,6 @@ --- - block: - - name: Create database of sites + - name: Create databases for sites mysql_db: name: "{{ site_env.db_name }}" state: present From 1049fe8000e4d69ac07debf479cba894916c3623 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sun, 29 Oct 2017 18:05:49 -0600 Subject: [PATCH 275/292] Bump Ansible version_tested_max to 2.4.1.0 (#911) --- CHANGELOG.md | 1 + lib/trellis/plugins/vars/version.py | 2 +- vagrant.default.yml | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 93d73c902f..5271f18bd9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Bump Ansible `version_tested_max` to 2.4.1.0 ([#911](https://github.com/roots/trellis/pull/911)) * Update wp-cli to 1.4.0 ([#906](https://github.com/roots/trellis/pull/906)) * [BREAKING] Normalize `apt` tasks ([#881](https://github.com/roots/trellis/pull/881)) * Ansible 2.4 compatibility ([#895](https://github.com/roots/trellis/pull/895)) diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py index fd6c7b4d4c..5e05494612 100644 --- a/lib/trellis/plugins/vars/version.py +++ b/lib/trellis/plugins/vars/version.py @@ -14,7 +14,7 @@ display = Display() version_requirement = '2.4.0.0' -version_tested_max = '2.4.0.0' +version_tested_max = '2.4.1.0' if not ge(LooseVersion(__version__), LooseVersion(version_requirement)): raise AnsibleError(('Trellis no longer supports Ansible {}.\n' diff --git a/vagrant.default.yml b/vagrant.default.yml index 53a06b2716..dd6baa3a77 100644 --- a/vagrant.default.yml +++ b/vagrant.default.yml @@ -4,7 +4,7 @@ vagrant_cpus: 1 vagrant_memory: 1024 # in MB vagrant_box: 'bento/ubuntu-16.04' vagrant_box_version: '<= 2.3.8' -vagrant_ansible_version: '2.4.0' +vagrant_ansible_version: '2.4.1.0' vagrant_skip_galaxy: false vagrant_install_plugins: true From dd4f154fb5901f0b928ca7c2544a0a968ebb396c Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sun, 29 Oct 2017 19:23:24 -0600 Subject: [PATCH 276/292] Dynamically increase ansible_group_priority for selected env (#909) Otherwise when a host is in both the production and staging groups, Ansible will always use the staging group vars, even if a user specifies `-e env=production`. Without a differing ansible_group_priority, Ansible loads sibling groups in alphabetical order and variables from the last group loaded win out. --- CHANGELOG.md | 1 + lib/trellis/plugins/callback/vars.py | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5271f18bd9..7e565cd8c7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Dynamically increase `ansible_group_priority` for selected env ([#909](https://github.com/roots/trellis/pull/909)) * Bump Ansible `version_tested_max` to 2.4.1.0 ([#911](https://github.com/roots/trellis/pull/911)) * Update wp-cli to 1.4.0 ([#906](https://github.com/roots/trellis/pull/906)) * [BREAKING] Normalize `apt` tasks ([#881](https://github.com/roots/trellis/pull/881)) diff --git a/lib/trellis/plugins/callback/vars.py b/lib/trellis/plugins/callback/vars.py index 42942bdca1..98773de710 100644 --- a/lib/trellis/plugins/callback/vars.py +++ b/lib/trellis/plugins/callback/vars.py @@ -89,6 +89,11 @@ def darwin_without_passlib(self): return True def v2_playbook_on_play_start(self, play): + env = play.get_variable_manager().get_vars(play=play).get('env', '') + env_group = next((group for key,group in play.get_variable_manager()._inventory.groups.iteritems() if key == env), False) + if env_group: + env_group.set_priority(20) + for host in play.get_variable_manager()._inventory.list_hosts(play.hosts[0]): hostvars = play.get_variable_manager().get_vars(play=play, host=host) self.raw_vars(play, host, hostvars) From fb000df729ff9843a2d88550bed255405bd46867 Mon Sep 17 00:00:00 2001 From: Mockey Date: Tue, 31 Oct 2017 16:31:54 +0100 Subject: [PATCH 277/292] Update vagrant_box_version to current release --- vagrant.default.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vagrant.default.yml b/vagrant.default.yml index dd6baa3a77..e8fe2f441b 100644 --- a/vagrant.default.yml +++ b/vagrant.default.yml @@ -3,7 +3,7 @@ vagrant_ip: '192.168.50.5' vagrant_cpus: 1 vagrant_memory: 1024 # in MB vagrant_box: 'bento/ubuntu-16.04' -vagrant_box_version: '<= 2.3.8' +vagrant_box_version: '<= 201710.25.0' vagrant_ansible_version: '2.4.1.0' vagrant_skip_galaxy: false From f6c7d575936cbe1601f93b3afa03f5effd2bfd35 Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Fri, 3 Nov 2017 19:16:08 -0400 Subject: [PATCH 278/292] Enable ioapic --- CHANGELOG.md | 1 + Vagrantfile | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7e565cd8c7..77c4064243 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Enable Virtualbox ioapic option ([#913](https://github.com/roots/trellis/pull/913)) * Dynamically increase `ansible_group_priority` for selected env ([#909](https://github.com/roots/trellis/pull/909)) * Bump Ansible `version_tested_max` to 2.4.1.0 ([#911](https://github.com/roots/trellis/pull/911)) * Update wp-cli to 1.4.0 ([#906](https://github.com/roots/trellis/pull/906)) diff --git a/Vagrantfile b/Vagrantfile index f50dce7543..a568e0e67d 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -140,10 +140,11 @@ Vagrant.configure('2') do |config| vb.name = config.vm.hostname vb.customize ['modifyvm', :id, '--cpus', vconfig.fetch('vagrant_cpus')] vb.customize ['modifyvm', :id, '--memory', vconfig.fetch('vagrant_memory')] + vb.customize ['modifyvm', :id, '--ioapic', vconfig.fetch('vagrant_ioapic', 'on')] # Fix for slow external network connections - vb.customize ['modifyvm', :id, '--natdnshostresolver1', 'on'] - vb.customize ['modifyvm', :id, '--natdnsproxy1', 'on'] + vb.customize ['modifyvm', :id, '--natdnshostresolver1', vconfig.fetch('vagrant_natdnshostresolver', 'on')] + vb.customize ['modifyvm', :id, '--natdnsproxy1', vconfig.fetch('vagrant_natdnsproxy', 'on')] end # VMware Workstation/Fusion settings From 9d67ada3e4e9ababc08da9eeb5453ed6001f540c Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Mon, 6 Nov 2017 13:08:06 -0700 Subject: [PATCH 279/292] Fix raw_vars functionality for Ansible 2.4.1 (#915) In Ansible 2.4.1 only, the VariableManager get_vars() does not return group vars unless method parameters include a task object. Trellis raw_vars functionality did not pass a task and thus did not receive group vars and could not wrap the variable values in `{% raw %}`. Temporarily feed a dummy Task() to get_vars() as a temporary fix until the Trellis minimum Ansible requirement >= 2.4.2, when the issue should be resolved in upstream Ansible. --- CHANGELOG.md | 1 + lib/trellis/plugins/callback/vars.py | 4 +++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 77c4064243..68ba61d4df 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Fix `raw_vars` functionality for Ansible 2.4.1 ([#915](https://github.com/roots/trellis/pull/915)) * Enable Virtualbox ioapic option ([#913](https://github.com/roots/trellis/pull/913)) * Dynamically increase `ansible_group_priority` for selected env ([#909](https://github.com/roots/trellis/pull/909)) * Bump Ansible `version_tested_max` to 2.4.1.0 ([#911](https://github.com/roots/trellis/pull/911)) diff --git a/lib/trellis/plugins/callback/vars.py b/lib/trellis/plugins/callback/vars.py index 98773de710..adcec79c37 100644 --- a/lib/trellis/plugins/callback/vars.py +++ b/lib/trellis/plugins/callback/vars.py @@ -10,6 +10,7 @@ from ansible.parsing.dataloader import DataLoader from ansible.parsing.yaml.objects import AnsibleMapping, AnsibleSequence, AnsibleUnicode from ansible.playbook.play_context import PlayContext +from ansible.playbook.task import Task from ansible.plugins.callback import CallbackBase from ansible.template import Templar @@ -95,7 +96,8 @@ def v2_playbook_on_play_start(self, play): env_group.set_priority(20) for host in play.get_variable_manager()._inventory.list_hosts(play.hosts[0]): - hostvars = play.get_variable_manager().get_vars(play=play, host=host) + # it should be ok to remove dummy Task() once minimum required Ansible >= 2.4.2 + hostvars = play.get_variable_manager().get_vars(play=play, host=host, task=Task()) self.raw_vars(play, host, hostvars) host.vars['ssh_args_default'] = PlayContext(play=play, options=self._options)._ssh_args.default host.vars['cli_options'] = self.cli_options() From c4706e0890b2cdd72a7ddb4467830b6d811dbb77 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sun, 12 Nov 2017 11:57:08 -0700 Subject: [PATCH 280/292] Remove outdated to_unicode import from plugin utils (#916) The to_unicode method as fallback is no longer needed. Ansible 2.2 deprecated to_unicode in favor of to_text. The to_text method has been available since 2.2 and Trellis now requires 2.4+. --- lib/trellis/utils/output.py | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/lib/trellis/utils/output.py b/lib/trellis/utils/output.py index 7cd54ba5c8..dd68f1f5d0 100644 --- a/lib/trellis/utils/output.py +++ b/lib/trellis/utils/output.py @@ -8,12 +8,7 @@ import textwrap from ansible import __version__ - -# to_unicode will no longer be needed once Trellis requires Ansible >= 2.2 -try: - from ansible.module_utils._text import to_text -except ImportError: - from ansible.utils.unicode import to_unicode as to_text +from ansible.module_utils._text import to_text def system(vagrant_version=None): # Get most recent Trellis CHANGELOG entry From 2d53e818c9b05c631228d65b681eaa662448fdce Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sun, 12 Nov 2017 11:59:05 -0700 Subject: [PATCH 281/292] Replace bare Dataloader() with pre-loaded play._loader (#917) The play._loader already exists. It is pre-loaded with play._loader._vault.secrets, play._loader.FILE_CACHE, etc. There's little point in creating a fresh Dataloader() and having to process or load it up. --- lib/trellis/plugins/callback/vars.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/lib/trellis/plugins/callback/vars.py b/lib/trellis/plugins/callback/vars.py index adcec79c37..c0742ca2a3 100644 --- a/lib/trellis/plugins/callback/vars.py +++ b/lib/trellis/plugins/callback/vars.py @@ -7,7 +7,6 @@ from __main__ import cli from ansible.module_utils.six import iteritems from ansible.errors import AnsibleError -from ansible.parsing.dataloader import DataLoader from ansible.parsing.yaml.objects import AnsibleMapping, AnsibleSequence, AnsibleUnicode from ansible.playbook.play_context import PlayContext from ansible.playbook.task import Task @@ -22,7 +21,6 @@ class CallbackModule(CallbackBase): CALLBACK_NAME = 'vars' def __init__(self): - self.loader = DataLoader() self._options = cli.options if cli else None def raw_triage(self, key_string, item, patterns): @@ -43,7 +41,7 @@ def raw_vars(self, play, host, hostvars): if 'raw_vars' not in hostvars: return - raw_vars = Templar(variables=hostvars, loader=self.loader).template(hostvars['raw_vars']) + raw_vars = Templar(variables=hostvars, loader=play._loader).template(hostvars['raw_vars']) if not isinstance(raw_vars, list): raise AnsibleError('The `raw_vars` variable must be defined as a list.') From 112a88717c9ac82e87531a55242156d47f279501 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sun, 12 Nov 2017 12:57:35 -0700 Subject: [PATCH 282/292] Disallow duplicate site keys within a host's wordpress_sites (#910) If a user loads both staging and production sites on a single host, site keys must differ between environments to prevent conflict that would otherwise occur in resources built from site keys (e.g., Nginx conf filepaths). --- CHANGELOG.md | 1 + roles/common/defaults/main.yml | 20 ++++++++++++++++++++ roles/common/tasks/main.yml | 22 ++++++++++++++++++++++ 3 files changed, 43 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 68ba61d4df..625d40f306 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Disallow duplicate site keys within a host's `wordpress_sites` ([#910](https://github.com/roots/trellis/pull/910)) * Fix `raw_vars` functionality for Ansible 2.4.1 ([#915](https://github.com/roots/trellis/pull/915)) * Enable Virtualbox ioapic option ([#913](https://github.com/roots/trellis/pull/913)) * Dynamically increase `ansible_group_priority` for selected env ([#909](https://github.com/roots/trellis/pull/909)) diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index 3ec83ee973..5e92f1487f 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -1,5 +1,25 @@ ntp_timezone: Etc/UTC +env_groups: "{{ ['development', 'staging', 'production'] | intersect(group_names) }}" + +envs_with_wp_sites: "{{ + lookup('filetree', playbook_dir + '/group_vars') | + selectattr('path', 'match', '(' + env_groups | join('|') + ')/wordpress_sites\\.yml$') | + map(attribute='path') | map('regex_replace', '([^/]*)/.*', '\\1') | list +}}" + +site_keys_by_env_pair: "[ + {% for env_pair in envs_with_wp_sites | combinations(2) | list %} + { + 'env_pair': {{ env_pair }}, + 'site_keys': {{ + (vars[env_pair[0] + '_sites'].wordpress_sites | default({})).keys() | intersect( + (vars[env_pair[1] + '_sites'].wordpress_sites | default({})).keys()) + }} + }, + {% endfor %} +]" + apt_packages_default: python-software-properties: "{{ apt_package_state }}" python-pycurl: "{{ apt_package_state }}" diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 0c675079c6..7248ce50da 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -1,4 +1,26 @@ --- +- block: + - name: Load wordpress_sites.yml vars into _sites vars + include_vars: + file: group_vars/{{ item }}/wordpress_sites.yml + name: "{{ item }}_sites" + with_items: "{{ envs_with_wp_sites }}" + when: envs_with_wp_sites | count > 1 + + - name: Fail if there are duplicate site keys within host's wordpress_sites + fail: + msg: > + If you put multiple environments on `{{ inventory_hostname }}`, `wordpress_sites` + must use different site keys per environment. Adjust the following site keys that + are duplicated between the `{{ item.env_pair | join('` and `') }}` groups: + {{ item.site_keys | to_nice_yaml | indent(2) }} + when: item.site_keys | count + with_items: "{{ site_keys_by_env_pair }}" + + when: + - env_groups | count > 1 + - validate_site_keys | default(true) | bool + - name: Validate wordpress_sites fail: msg: "{{ lookup('template', 'wordpress_sites.j2') }}" From af9f63571494a16e6039f6889c6e45845552a67b Mon Sep 17 00:00:00 2001 From: Ned Zimmerman Date: Mon, 13 Nov 2017 14:14:53 -0400 Subject: [PATCH 283/292] Update to WP-CLI 1.4.1. --- CHANGELOG.md | 1 + roles/wp-cli/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 625d40f306..b22a7fb6f8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Update wp-cli to 1.4.1 ([#918](https://github.com/roots/trellis/pull/918)) * Disallow duplicate site keys within a host's `wordpress_sites` ([#910](https://github.com/roots/trellis/pull/910)) * Fix `raw_vars` functionality for Ansible 2.4.1 ([#915](https://github.com/roots/trellis/pull/915)) * Enable Virtualbox ioapic option ([#913](https://github.com/roots/trellis/pull/913)) diff --git a/roles/wp-cli/defaults/main.yml b/roles/wp-cli/defaults/main.yml index 12217328ac..fcc8ab74d9 100644 --- a/roles/wp-cli/defaults/main.yml +++ b/roles/wp-cli/defaults/main.yml @@ -1,4 +1,4 @@ -wp_cli_version: 1.4.0 +wp_cli_version: 1.4.1 wp_cli_bin_path: /usr/bin/wp wp_cli_phar_url: "https://github.com/wp-cli/wp-cli/releases/download/v{{ wp_cli_version }}/wp-cli-{{ wp_cli_version }}.phar" wp_cli_completion_url: "https://raw.githubusercontent.com/wp-cli/wp-cli/v{{ wp_cli_version }}/utils/wp-completion.bash" From f759a11738a0f490ad52a04a8cd32dbd98ee73db Mon Sep 17 00:00:00 2001 From: Scott Walkinshaw Date: Mon, 13 Nov 2017 20:10:11 -0500 Subject: [PATCH 284/292] 1.0.0-rc.2 --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b22a7fb6f8..9a7cbb4d21 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,4 @@ -### HEAD +### 1.0.0-rc.2: November 13th, 2017 * Update wp-cli to 1.4.1 ([#918](https://github.com/roots/trellis/pull/918)) * Disallow duplicate site keys within a host's `wordpress_sites` ([#910](https://github.com/roots/trellis/pull/910)) * Fix `raw_vars` functionality for Ansible 2.4.1 ([#915](https://github.com/roots/trellis/pull/915)) From 5199022f772a729e79aa6838cddf1af3ff790579 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Mon, 13 Nov 2017 18:53:26 -0700 Subject: [PATCH 285/292] Enable select deploy configs to optionally vary by site (#919) --- roles/deploy/hooks/finalize-after.yml | 4 ++-- roles/deploy/hooks/finalize-before.yml | 2 +- roles/deploy/tasks/build.yml | 4 ++-- roles/deploy/tasks/share.yml | 12 ++++++------ roles/deploy/tasks/update.yml | 2 +- 5 files changed, 12 insertions(+), 12 deletions(-) diff --git a/roles/deploy/hooks/finalize-after.yml b/roles/deploy/hooks/finalize-after.yml index d60809d0da..987ac2a6c5 100644 --- a/roles/deploy/hooks/finalize-after.yml +++ b/roles/deploy/hooks/finalize-after.yml @@ -6,7 +6,7 @@ chdir: "{{ deploy_helper.current_path }}" register: site_transient_theme_roots changed_when: site_transient_theme_roots.stdout != '' - when: update_wp_theme_paths | default(true) | bool + when: project.update_wp_theme_paths | default(update_wp_theme_paths | default(true)) | bool - name: Update WP theme paths command: > @@ -15,7 +15,7 @@ {% if project.multisite.enabled | default(false) %} --url={{ item[1].split(' ')[0] }}{% endif %} args: chdir: "{{ deploy_helper.current_path }}" - when: update_wp_theme_paths | default(true) | bool + when: project.update_wp_theme_paths | default(update_wp_theme_paths | default(true)) | bool with_subelements: - "[{% for result in wp_template_root.results %}{'option': '{{ result.item }}', 'stdout_lines': {{ result.stdout_lines | default ([]) | select('search', deploy_helper.releases_path) | list }}},{% endfor %}]" - stdout_lines diff --git a/roles/deploy/hooks/finalize-before.yml b/roles/deploy/hooks/finalize-before.yml index ec40bc9ee2..d3fed2b46a 100644 --- a/roles/deploy/hooks/finalize-before.yml +++ b/roles/deploy/hooks/finalize-before.yml @@ -26,7 +26,7 @@ failed_when: wp_template_root.stderr | default('') != '' when: - wp_installed.rc == 0 - - update_wp_theme_paths | default(true) | bool + - project.update_wp_theme_paths | default(update_wp_theme_paths | default(true)) | bool with_items: - template_root - stylesheet_root diff --git a/roles/deploy/tasks/build.yml b/roles/deploy/tasks/build.yml index c7cf9be7d2..0151fc0d8c 100644 --- a/roles/deploy/tasks/build.yml +++ b/roles/deploy/tasks/build.yml @@ -10,13 +10,13 @@ src: "{{ item.src }}" dest: "{{ deploy_helper.new_release_path }}/{{ item.dest }}" mode: "{{ item.mode | default('0644') }}" - with_items: "{{ project_templates }}" + with_items: "{{ project.project_templates | default(project_templates) }}" - name: Check if project folders exist stat: path: "{{ deploy_helper.current_path }}/{{ item }}" register: project_folder_paths - with_items: "{{ project_copy_folders }}" + with_items: "{{ project.project_copy_folders | default(project_copy_folders) }}" - name: Copy project folders command: cp -rp {{ deploy_helper.current_path }}/{{ item.item }} {{ deploy_helper.new_release_path }} diff --git a/roles/deploy/tasks/share.yml b/roles/deploy/tasks/share.yml index 0537a8887f..294c05d4b9 100644 --- a/roles/deploy/tasks/share.yml +++ b/roles/deploy/tasks/share.yml @@ -10,7 +10,7 @@ path: "{{ deploy_helper.shared_path }}/{{ item.src }}" state: directory mode: "{{ item.mode | default('0755') }}" - with_items: "{{ project_shared_children }}" + with_items: "{{ project.project_shared_children | default(project_shared_children) }}" when: item.type | default('directory') | lower == 'directory' - name: Ensure shared sources are present -- files' parent directories @@ -18,7 +18,7 @@ path: "{{ deploy_helper.shared_path }}/{{ item.src | dirname }}" state: directory mode: '0755' - with_items: "{{ project_shared_children }}" + with_items: "{{ project.project_shared_children | default(project_shared_children) }}" when: item.type | default('directory') | lower == 'file' - name: Ensure shared sources are present -- files @@ -26,27 +26,27 @@ path: "{{ deploy_helper.shared_path }}/{{ item.src }}" state: touch mode: "{{ item.mode | default('0644') }}" - with_items: "{{ project_shared_children }}" + with_items: "{{ project.project_shared_children | default(project_shared_children) }}" when: item.type | default('directory') | lower == 'file' - name: Ensure parent directories for shared paths are present file: path: "{{ deploy_helper.new_release_path }}/{{ item.path | dirname }}" state: directory - with_items: "{{ project_shared_children }}" + with_items: "{{ project.project_shared_children | default(project_shared_children) }}" - name: Ensure shared paths are absent file: path: "{{ deploy_helper.new_release_path }}/{{ item.path }}" state: absent - with_items: "{{ project_shared_children }}" + with_items: "{{ project.project_shared_children | default(project_shared_children) }}" - name: Create shared symlinks file: path: "{{ deploy_helper.new_release_path }}/{{ item.path }}" src: "{{ deploy_helper.shared_path }}/{{ item.src }}" state: link - with_items: "{{ project_shared_children }}" + with_items: "{{ project.project_shared_children | default(project_shared_children) }}" - include_tasks: "{{ include_path }}" with_items: "{{ deploy_share_after | default([]) }}" diff --git a/roles/deploy/tasks/update.yml b/roles/deploy/tasks/update.yml index 1be9bc1ff8..672784b3f8 100644 --- a/roles/deploy/tasks/update.yml +++ b/roles/deploy/tasks/update.yml @@ -37,7 +37,7 @@ repo: "{{ project_git_repo }}" dest: "{{ project_source_path }}" version: "{{ project_version }}" - accept_hostkey: "{{ repo_accept_hostkey | default(true) }}" + accept_hostkey: "{{ project.repo_accept_hostkey | default(repo_accept_hostkey | default(true)) }}" ignore_errors: true no_log: true register: git_clone From 9a41f2d8894de094a0a718846edec401d71d2440 Mon Sep 17 00:00:00 2001 From: "Michael W. Delaney" Date: Wed, 15 Nov 2017 07:51:32 -0500 Subject: [PATCH 286/292] Update acme-tiny commit hash --- roles/letsencrypt/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/letsencrypt/defaults/main.yml b/roles/letsencrypt/defaults/main.yml index b6ad540cc5..2bd7b12805 100644 --- a/roles/letsencrypt/defaults/main.yml +++ b/roles/letsencrypt/defaults/main.yml @@ -4,7 +4,7 @@ missing_hosts: "{{ site_hosts | difference((current_hosts.results | selectattr(' letsencrypt_cert_ids: "{ {% for item in (generate_cert_ids | default({'results':[{'skipped':True}]})).results if not item | skipped %}'{{ item.item.key }}':'{{ item.stdout }}', {% endfor %} }" acme_tiny_repo: 'https://github.com/diafygi/acme-tiny.git' -acme_tiny_commit: '5a7b4e79bc9bd5b51739c0d8aaf644f62cc440e6' +acme_tiny_commit: '4ed13950c0a9cf61f1ca81ff1874cde1cf48ab32' acme_tiny_software_directory: /usr/local/letsencrypt acme_tiny_data_directory: /var/lib/letsencrypt From b99cde0bbcce48c8e85175652e5a12a276aa867b Mon Sep 17 00:00:00 2001 From: Ben Word Date: Sat, 18 Nov 2017 12:34:09 -0700 Subject: [PATCH 287/292] Close #580 - Switch from .dev to .test --- CHANGELOG.md | 3 +++ group_vars/development/wordpress_sites.yml | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9a7cbb4d21..63f569d852 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +### HEAD +* Switch from `.dev` to `.test` ([#923](https://github.com/roots/trellis/pull/923)) + ### 1.0.0-rc.2: November 13th, 2017 * Update wp-cli to 1.4.1 ([#918](https://github.com/roots/trellis/pull/918)) * Disallow duplicate site keys within a host's `wordpress_sites` ([#910](https://github.com/roots/trellis/pull/910)) diff --git a/group_vars/development/wordpress_sites.yml b/group_vars/development/wordpress_sites.yml index 5153ccc612..90009265e2 100644 --- a/group_vars/development/wordpress_sites.yml +++ b/group_vars/development/wordpress_sites.yml @@ -5,11 +5,11 @@ wordpress_sites: example.com: site_hosts: - - canonical: example.dev + - canonical: example.test redirects: - - www.example.dev + - www.example.test local_path: ../site # path targeting local Bedrock site directory (relative to Ansible root) - admin_email: admin@example.dev + admin_email: admin@example.test multisite: enabled: false ssl: From 4a82898d905e20cc6fd89d8817f5e44707fe467b Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sat, 18 Nov 2017 18:17:16 -0700 Subject: [PATCH 288/292] Expose the deploy_helper keep_releases option (#922) The default keep_releases = 5 may not fit all users. --- roles/deploy/tasks/finalize.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/deploy/tasks/finalize.yml b/roles/deploy/tasks/finalize.yml index 996873919d..7ec6e32944 100644 --- a/roles/deploy/tasks/finalize.yml +++ b/roles/deploy/tasks/finalize.yml @@ -11,6 +11,7 @@ path: "{{ project_root }}" release: "{{ deploy_helper.new_release }}" state: finalize + keep_releases: "{{ project.deploy_keep_releases | default(deploy_keep_releases | default(omit)) }}" - include_tasks: "{{ include_path }}" with_items: "{{ deploy_finalize_after | default([]) }}" From 34f17182929ca4bdc55421ff1556c115238be24a Mon Sep 17 00:00:00 2001 From: Ben Word Date: Mon, 27 Nov 2017 17:03:44 -0700 Subject: [PATCH 289/292] Add Code of Conduct [ci skip] --- CODE_OF_CONDUCT.md | 74 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 74 insertions(+) create mode 100644 CODE_OF_CONDUCT.md diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md new file mode 100644 index 0000000000..f663c4792c --- /dev/null +++ b/CODE_OF_CONDUCT.md @@ -0,0 +1,74 @@ +# Contributor Covenant Code of Conduct + +## Our Pledge + +In the interest of fostering an open and welcoming environment, we as +contributors and maintainers pledge to making participation in our project and +our community a harassment-free experience for everyone, regardless of age, body +size, disability, ethnicity, gender identity and expression, level of experience, +nationality, personal appearance, race, religion, or sexual identity and +orientation. + +## Our Standards + +Examples of behavior that contributes to creating a positive environment +include: + +* Using welcoming and inclusive language +* Being respectful of differing viewpoints and experiences +* Gracefully accepting constructive criticism +* Focusing on what is best for the community +* Showing empathy towards other community members + +Examples of unacceptable behavior by participants include: + +* The use of sexualized language or imagery and unwelcome sexual attention or + advances +* Trolling, insulting/derogatory comments, and personal or political attacks +* Public or private harassment +* Publishing others' private information, such as a physical or electronic + address, without explicit permission +* Other conduct which could reasonably be considered inappropriate in a + professional setting + +## Our Responsibilities + +Project maintainers are responsible for clarifying the standards of acceptable +behavior and are expected to take appropriate and fair corrective action in +response to any instances of unacceptable behavior. + +Project maintainers have the right and responsibility to remove, edit, or +reject comments, commits, code, wiki edits, issues, and other contributions +that are not aligned to this Code of Conduct, or to ban temporarily or +permanently any contributor for other behaviors that they deem inappropriate, +threatening, offensive, or harmful. + +## Scope + +This Code of Conduct applies both within project spaces and in public spaces +when an individual is representing the project or its community. Examples of +representing a project or community include using an official project e-mail +address, posting via an official social media account, or acting as an appointed +representative at an online or offline event. Representation of a project may be +further defined and clarified by project maintainers. + +## Enforcement + +Instances of abusive, harassing, or otherwise unacceptable behavior may be +reported by contacting the project team at team@roots.io. All +complaints will be reviewed and investigated and will result in a response that +is deemed necessary and appropriate to the circumstances. The project team is +obligated to maintain confidentiality with regard to the reporter of an incident. +Further details of specific enforcement policies may be posted separately. + +Project maintainers who do not follow or enforce the Code of Conduct in good +faith may face temporary or permanent repercussions as determined by other +members of the project's leadership. + +## Attribution + +This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, +available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html + +[homepage]: https://www.contributor-covenant.org + From e0fee339fd72123b7e7accab4a2367de895995a1 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Wed, 29 Nov 2017 09:22:17 -0700 Subject: [PATCH 290/292] Remove cron_file if WP system cron disabled (#927) If a cron_file has already been created but then a user sets `multisite.cron: false`, these cron tasks should not skip. Rather, they should run with the parameter `state: absent` in order to remove the cron_file. --- roles/wordpress-setup/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/wordpress-setup/tasks/main.yml b/roles/wordpress-setup/tasks/main.yml index 732d95e383..87400fc68c 100644 --- a/roles/wordpress-setup/tasks/main.yml +++ b/roles/wordpress-setup/tasks/main.yml @@ -49,8 +49,8 @@ user: "{{ web_user }}" job: "cd {{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }} && wp cron event run --due-now > /dev/null 2>&1" cron_file: "wordpress-{{ item.key | replace('.', '_') }}" + state: "{{ (cron_enabled and not item.value.multisite.enabled) | ternary('present', 'absent') }}" with_dict: "{{ wordpress_sites }}" - when: cron_enabled and not item.value.multisite.enabled - name: Setup WP Multisite system cron cron: @@ -59,5 +59,5 @@ user: "{{ web_user }}" job: "cd {{ www_root }}/{{ item.key }}/{{ item.value.current_path | default('current') }} && wp site list --field=url | xargs -n1 -I \\% wp --url=\\% cron event run --due-now > /dev/null 2>&1" cron_file: "wordpress-multisite-{{ item.key | replace('.', '_') }}" + state: "{{ (cron_enabled and item.value.multisite.enabled) | ternary('present', 'absent') }}" with_dict: "{{ wordpress_sites }}" - when: cron_enabled and item.value.multisite.enabled From 9d1bdade43674d84051471fffd427d0ccda1ab92 Mon Sep 17 00:00:00 2001 From: Patrick Artounian Date: Tue, 28 Nov 2017 08:43:27 -0800 Subject: [PATCH 291/292] Add MariaDB 10.2 PPA --- CHANGELOG.md | 1 + roles/mariadb/defaults/main.yml | 4 ++++ roles/mariadb/tasks/main.yml | 11 +++++++++++ 3 files changed, 16 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 63f569d852..3b6e8f6d19 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Add MariaDB 10.2 PPA ([#926](https://github.com/roots/trellis/pull/926)) * Switch from `.dev` to `.test` ([#923](https://github.com/roots/trellis/pull/923)) ### 1.0.0-rc.2: November 13th, 2017 diff --git a/roles/mariadb/defaults/main.yml b/roles/mariadb/defaults/main.yml index 9bbea9848e..fbb1a13579 100644 --- a/roles/mariadb/defaults/main.yml +++ b/roles/mariadb/defaults/main.yml @@ -1,3 +1,7 @@ +mariadb_keyserver: keyserver.ubuntu.com +mariadb_keyserver_id: "0xF1656F24C74CD1D8" +mariadb_ppa: "deb [arch=amd64,i386,ppc64el] http://ftp.osuosl.org/pub/mariadb/repo/10.2/ubuntu xenial main" + mariadb_client_package: mariadb-client mariadb_server_package: mariadb-server diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index 84c8c45788..f4e21e561e 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -1,4 +1,15 @@ --- +- block: + - name: Add MariaDB APT key + apt_key: + keyserver: "{{ mariadb_keyserver }}" + id: "{{ mariadb_keyserver_id }}" + + - name: Add MariaDB PPA + apt_repository: + repo: "{{ mariadb_ppa }}" + update_cache: yes + - name: Install MySQL client apt: name: "{{ mariadb_client_package }}" From 7d81e08d921768f5a0c39976be2105694db2ff0e Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sun, 31 Dec 2017 12:31:38 -0700 Subject: [PATCH 292/292] Bump Ansible version_tested_max to 2.4.2.0 (#932) Callback events must interpret task status as `failed: true` based on the callback event type and not on any such status passed via the task `result`. --- CHANGELOG.md | 1 + lib/trellis/plugins/vars/version.py | 2 +- lib/trellis/utils/output.py | 7 +++---- vagrant.default.yml | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3b6e8f6d19..0cca88dc7d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ ### HEAD +* Bump Ansible `version_tested_max` to 2.4.2.0 ([#932](https://github.com/roots/trellis/pull/932)) * Add MariaDB 10.2 PPA ([#926](https://github.com/roots/trellis/pull/926)) * Switch from `.dev` to `.test` ([#923](https://github.com/roots/trellis/pull/923)) diff --git a/lib/trellis/plugins/vars/version.py b/lib/trellis/plugins/vars/version.py index 5e05494612..273ae5f310 100644 --- a/lib/trellis/plugins/vars/version.py +++ b/lib/trellis/plugins/vars/version.py @@ -14,7 +14,7 @@ display = Display() version_requirement = '2.4.0.0' -version_tested_max = '2.4.1.0' +version_tested_max = '2.4.2.0' if not ge(LooseVersion(__version__), LooseVersion(version_requirement)): raise AnsibleError(('Trellis no longer supports Ansible {}.\n' diff --git a/lib/trellis/utils/output.py b/lib/trellis/utils/output.py index dd68f1f5d0..7d45369e76 100644 --- a/lib/trellis/utils/output.py +++ b/lib/trellis/utils/output.py @@ -62,10 +62,9 @@ def display(obj, result): display = obj._display.display wrap_width = 77 first = obj.first_host and obj.first_item - failed = result.get('failed', False) or result.get('unreachable', False) # Only display msg if debug module or if failed (some modules have undesired 'msg' on 'ok') - if 'msg' in result and (failed or obj.action == 'debug'): + if 'msg' in result and (obj.task_failed or obj.action == 'debug'): msg = result.pop('msg', '') # Disable Ansible's verbose setting for debug module to avoid the CallbackBase._dump_results() @@ -73,7 +72,7 @@ def display(obj, result): del result['_ansible_verbose_always'] # Display additional info when failed - if failed: + if obj.task_failed: items = (item for item in ['reason', 'module_stderr', 'module_stdout', 'stderr'] if item in result and to_text(result[item]) != '') for item in items: msg = result[item] if msg == '' else '\n'.join([msg, result.pop(item, '')]) @@ -106,7 +105,7 @@ def display(obj, result): else: if not first: display(hr, 'bright gray') - display(msg, 'red' if failed else 'bright purple') + display(msg, 'red' if obj.task_failed else 'bright purple') def display_host(obj, result): if 'results' not in result._result: diff --git a/vagrant.default.yml b/vagrant.default.yml index e8fe2f441b..bd79ec9bab 100644 --- a/vagrant.default.yml +++ b/vagrant.default.yml @@ -4,7 +4,7 @@ vagrant_cpus: 1 vagrant_memory: 1024 # in MB vagrant_box: 'bento/ubuntu-16.04' vagrant_box_version: '<= 201710.25.0' -vagrant_ansible_version: '2.4.1.0' +vagrant_ansible_version: '2.4.2.0' vagrant_skip_galaxy: false vagrant_install_plugins: true