Adding a PHP extension without editing the php role directly?

You nailed it. You may put that exact snippet in any group_vars file you choose. I’d probably choose group_vars/all/main.yml.

Regarding the defaults in any trellis/roles/<rolename>/defaults/main.yml files, they have the lowest priority and they live to be overridden by your redefinition in group_vars files.

Trellis has begun to use a pattern to make it easier to override some defaults (roots/trellis#735 and roots/trellis#787). The combo of php_extensions_default + php_extensions_custom make it so if you’d like to add to the list of php extensions, you only need to redefine php_extensions_custom instead of the entire list of php_extensions.