As far as I can tell, you are correct that attempting to have staging and production on the same server is creating the challenges. My recommendation would be to use a different server for each environment and the issues you’ve mentioned should resolve. You’ll find various discussion in this Roots discourse of whether to put staging and production on the same server vs. separate servers. In my opinion the intention of Trellis and best practice generally is separate servers.
hostname alias in hosts file. If you must use a single server for both staging and production, use an alias in your hosts file (see option 1). Discussion in that thread will demonstrate how doing this will clarify for Ansible which vars are for staging vs. for production.
I suspect that your SSL cert wasn’t recreated because – with both envs on the same server and with the same hostname in your hosts file – Ansible just always used the staging wordpress_sites even when you indicated -e env=production.
site key. If you must use a single server for both staging and production, use a different “site key” in your staging wordpress_sites dictionary:
wordpress_sites:
- nico.onl:
+ stage.nico.onl:
site_hosts:
...
Trellis uses this site key in some directory paths and file names. If on a single server you duplicate this key for different sites or envs, the duplicate will overwrite the original. I think this accounts for why your Nginx conf nico.onl.conf was only for staging.
Try making the change above, then run
# fix up staging
ansible-playbook server.yml -e env=staging --tags letsencrypt
# fix up production
ansible-playbook server.yml -e env=production --tags letsencrypt
After the change and the reprovision, you should see separate files nico.onl.conf and stage.nico.onl.conf, among other improvements.
force cert renewal. During provisioning (i.e., server.yml) Trellis should automatically renew the cert if the cert is more than 60 days old or if there is a change in relevant parameters like the site_hosts etc. I guess there isn’t a “force” renewal option (except maybe setting letsencrypt_min_renewal_age: 0), but if you SSH in to the server and mv the cert in /etc/nginx/ssl/letsencrypt to a different name, then run server.yml again, Trellis will see that the cert file appears to be missing and attempt to recreate it.
managed hosting vs. self-managed VPS. I’ve gained a little experience managing sites on my own VPS, but it has felt like a long road. When issues came up and I was under pressure, it was a road through hell. Other times this investment has paid off to where I have much more access and ability to control stuff than I would have had with a basic managed hosting plan. For me it’s interesting and worth it but I think there are many for whom the time and effort wouldn’t be worth it, given their context. From the little I’ve seen of your posts, it seems you certainly have the aptitude to make the VPS route work well. You’d have to decide whether the investment is worth it.