From 5843d695b3635647c24b06fc9278de1261195c8f Mon Sep 17 00:00:00 2001 From: Emilien Mantel Date: Fri, 16 Mar 2018 21:56:15 +0100 Subject: [PATCH] Manage FreeBSD 11 --- Vagrantfile | 59 ++++++++++++++++----------------- defaults/main.yml | 1 + tasks/config.yml | 13 +++++++- tasks/install_Debian.yml | 25 ++++++++++++++ tasks/install_FreeBSD.yml | 27 +++++++++++++++ tasks/ssl/acme.yml | 24 -------------- tests/includes/post_FreeBSD.yml | 50 ++++++++++++++-------------- tests/includes/pre_Debian.yml | 25 ++------------ tests/includes/pre_FreeBSD.yml | 40 ++++++++++++++++++++-- tests/includes/pre_common.yml | 18 ++++++++++ tests/test.yml | 17 +++++++--- vars/FreeBSD.yml | 2 ++ vars/main.yml | 6 ++++ 13 files changed, 197 insertions(+), 110 deletions(-) create mode 100644 tests/includes/pre_common.yml diff --git a/Vagrantfile b/Vagrantfile index bcfdcca..fffebbf 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -14,7 +14,9 @@ Vagrant.configure("2") do |config| ] vms_freebsd = [ - { :name => "freebsd-10.2", :box => "freebsd/FreeBSD-10.2-STABLE" } + { :name => "freebsd-10", :box => "freebsd/FreeBSD-10.4-STABLE", :vars => {} }, + { :name => "freebsd-11", :box => "freebsd/FreeBSD-11.1-STABLE", :vars => {} }, + { :name => "freebsd-12", :box => "freebsd/FreeBSD-12.0-CURRENT", :vars => {} } ] conts = [ @@ -26,6 +28,7 @@ Vagrant.configure("2") do |config| ] config.vm.network "private_network", type: "dhcp" + config.vm.synced_folder ".", "/vagrant", id: "vagrant-root", disabled: true conts.each do |opts| config.vm.define opts[:name] do |m| @@ -50,36 +53,32 @@ Vagrant.configure("2") do |config| v.cpus = 1 v.memory = 256 end - m.vm.provision "ansible" do |ansible| - ansible.playbook = "tests/test.yml" - ansible.verbose = 'vv' - ansible.become = true - ansible.extra_vars = opts[:vars].merge({ "nginx_debug_role": true }) - end + m.vm.provision "ansible" do |ansible| + ansible.playbook = "tests/test.yml" + ansible.verbose = 'vv' + ansible.become = true + ansible.extra_vars = opts[:vars].merge({ "nginx_debug_role": true }) + end + end + end + + vms_freebsd.each do |opts| + config.ssh.shell = "csh" + config.vm.base_mac = "080027D14C66" + config.vm.define opts[:name] do |m| + m.vm.box = opts[:box] + m.vm.provider "virtualbox" do |v| + v.cpus = 2 + v.memory = 512 + end + m.vm.provision "shell", inline: "pkg install -y python bash" + m.vm.provision "ansible" do |ansible| + ansible.playbook = "tests/test.yml" + ansible.verbose = 'vv' + ansible.become = true + ansible.extra_vars = opts[:vars].merge({ "nginx_debug_role": true, "ansible_python_interpreter": '/usr/local/bin/python' }) + end end end - # See: https://forums.freebsd.org/threads/52717/ -# vms_freebsd.each do |opts| -# config.vm.define opts[:name] do |m| -# m.vm.box = opts[:box] -# m.vm.provider "virtualbox" do |v| -# v.vm.cpus = 1 -# v.vm.memory = 256 -# v.vm.guest = :freebsd -# v.vm.synced_folder ".", "/vagrant", id: "vagrant-root", disabled: true -# v.vm.base_mac = "080027D14C66" -# end -# config.ssh.shell = "sh" -# m.vm.provision "shell", inline: "pkg install -y python bash" -# m.vm.provision "ansible" do |ansible| -# ansible.playbook = "tests/test.yml" -# ansible.verbose = 'vv' -# ansible.become = true -# ansible.extra_vars = { -# ansible_python_interpreter: '/usr/local/bin/python' -# } -# end -# end -# end end diff --git a/defaults/main.yml b/defaults/main.yml index bd0005b..c0215d2 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -108,6 +108,7 @@ nginx_ssl_pairs: [] # Dynamic modules # nginx_module_packages: [] +nginx_load_modules: [] # # Diffie-Hellman diff --git a/tasks/config.yml b/tasks/config.yml index 24cb01d..cc6795c 100644 --- a/tasks/config.yml +++ b/tasks/config.yml @@ -30,5 +30,16 @@ line: 'fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;' - regexp: '^fastcgi_param DOCUMENT_ROOT' line: 'fastcgi_param DOCUMENT_ROOT $realpath_root;' - - [ '/etc/nginx/fastcgi_params', '/etc/nginx/fastcgi.conf' ] + - + - '{{ nginx_etc_dir }}/fastcgi_params' + - '{{ nginx_etc_dir }}/fastcgi.conf' when: nginx_fastcgi_fix_realpath + +- name: COPY | Add modules manually + copy: + content: | + {% for m in nginx_load_modules %} + load_module {{ m }}; + {% endfor %} + dest: "{{ nginx_etc_dir }}/modules-enabled/000-modules.conf" + notify: reload nginx diff --git a/tasks/install_Debian.yml b/tasks/install_Debian.yml index b469bbc..fb8fe03 100644 --- a/tasks/install_Debian.yml +++ b/tasks/install_Debian.yml @@ -40,3 +40,28 @@ apt: pkg: python-passlib state: present + +- name: STAT | Check acme.sh is installed + stat: + path: "{{ nginx_acmesh_dir }}" + register: acme + +- block: + + - name: APT | Install git + apt: + pkg: git + + - name: GIT | Get acme.sh + git: + repo: 'https://github.com/Neilpang/acme.sh.git' + dest: '{{ nginx_acmesh_git_dir }}' + update: no + + - name: SHELL | Install acme.sh + shell: ./acme.sh --install --home {{ nginx_acmesh_dir }} --cert-home {{ nginx_acmesh_dir }} + args: + chdir: "{{ nginx_acmesh_git_dir }}" + creates: "{{ nginx_acmesh_dir }}" + + when: not acme.stat.exists diff --git a/tasks/install_FreeBSD.yml b/tasks/install_FreeBSD.yml index 84dfeb4..b350563 100644 --- a/tasks/install_FreeBSD.yml +++ b/tasks/install_FreeBSD.yml @@ -5,10 +5,37 @@ name: "{{ item }}" state: present with_items: + - acme.sh - "{{ nginx_pkgng_package }}" - py27-passlib - curl +# +# Bypass https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=224166#c1 +# +- block: + + - name: COMMAND | Create /usr/local/etc/fdfs/http.conf + command: touch /usr/local/etc/fdfs/http.conf + args: + creates: /usr/local/etc/fdfs/http.conf + register: fd1 + + - name: LINEINFILE | Tune fdfs + lineinfile: + regexp: ^load_fdfs_parameters_from_tracker + line: load_fdfs_parameters_from_tracker=false + path: /usr/local/etc/fdfs/mod_fastdfs.conf + register: fd2 + + - name: SERVICE | Restart nginx when fdfs is tuned + service: + name: nginx + state: restarted + when: fd1.changed or fd2.changed + + when: true + - name: FILE | Create configuration dir (like Debian) file: path: "{{ nginx_etc_dir }}/{{ item }}" diff --git a/tasks/ssl/acme.yml b/tasks/ssl/acme.yml index dea956d..804185d 100644 --- a/tasks/ssl/acme.yml +++ b/tasks/ssl/acme.yml @@ -1,33 +1,9 @@ --- -- name: APT | Install git - apt: pkg=git - - name: SET_FACT | Assign default.. set_fact: acme_create: [] -- name: STAT | Check acme.sh is installed - stat: - path: "{{ nginx_acmesh_dir }}" - register: acme - -- block: - - - name: GIT | Get acme.sh - git: - repo: 'https://github.com/Neilpang/acme.sh.git' - dest: '{{ nginx_acmesh_git_dir }}' - update: no - - - name: SHELL | Install acme.sh - shell: ./acme.sh --install --home {{ nginx_acmesh_dir }} --cert-home {{ nginx_acmesh_dir }} - args: - chdir: "{{ nginx_acmesh_git_dir }}" - creates: "{{ nginx_acmesh_dir }}" - - when: not acme.stat.exists - - name: STAT | Check if certificates are already installed stat: path: "{{ nginx_ssl_dir }}/{{ item | nginx_site_name }}/{{ item | nginx_site_name }}.crt" diff --git a/tests/includes/post_FreeBSD.yml b/tests/includes/post_FreeBSD.yml index 4be1f50..3c48e55 100644 --- a/tests/includes/post_FreeBSD.yml +++ b/tests/includes/post_FreeBSD.yml @@ -1,30 +1,30 @@ --- -- name: APT | Install web apps - pkgng: - pkg: "{{ item }}" - state: present - with_items: - - nagios - - backuppc - -- name: COMMAND | Activate backuppc config - command: > - cp /usr/local/etc/backuppc/config.pl.sample /usr/local/etc/backuppc/config.pl - creates=/usr/local/etc/backuppc/config.pl - -- name: FILE | Fix backuppc permissions - file: - path: /usr/local/etc/backuppc/config.pl - owner: backuppc - group: backuppc - -- name: FILE | Fix fcgiwrap permission - file: - path: "{{ nginx_fcgiwrap_sock }}" - mode: 0640 - owner: "{{ nginx_user }}" - group: "{{ nginx_user }}" +#- name: APT | Install web apps +# pkgng: +# pkg: "{{ item }}" +# state: present +# with_items: +# - nagios +# - backuppc +# +#- name: COMMAND | Activate backuppc config +# command: > +# cp /usr/local/etc/backuppc/config.pl.sample /usr/local/etc/backuppc/config.pl +# creates=/usr/local/etc/backuppc/config.pl +# +#- name: FILE | Fix backuppc permissions +# file: +# path: /usr/local/etc/backuppc/config.pl +# owner: backuppc +# group: backuppc +# +#- name: FILE | Fix fcgiwrap permission +# file: +# path: "{{ nginx_fcgiwrap_sock }}" +# mode: 0640 +# owner: "{{ nginx_user }}" +# group: "{{ nginx_user }}" # # We don't manage BackupPC on FreeBSD... too dirty. :/ diff --git a/tests/includes/pre_Debian.yml b/tests/includes/pre_Debian.yml index 3af0f97..59eab2d 100644 --- a/tests/includes/pre_Debian.yml +++ b/tests/includes/pre_Debian.yml @@ -94,25 +94,6 @@ dest: "/tmp" remote_src: yes -- name: SHELL | Check if ngrok is started - shell: ps aux | grep -q [n]grok - register: psngrok - changed_when: false - failed_when: false - -- block: - - - name: SHELL | Start ngrok - shell: daemonize /tmp/ngrok http 8888 -bind-tls=false - - - name: WAIT_FOR | ngrok started - wait_for: - delay: 2 - port: 4040 - - when: psngrok.rc > 0 - -- name: SHELL | Get ngrok public address - shell: curl 'http://127.0.0.1:4040/api/tunnels/command_line' | jq '.public_url' | grep -oE '[[:alnum:]]+\.ngrok\.io' - register: ngrok - changed_when: false +- name: SET_FACT | ngrok_path + set_fact: + ngrok_path: '/tmp/ngrok' diff --git a/tests/includes/pre_FreeBSD.yml b/tests/includes/pre_FreeBSD.yml index 3227c7f..80bfbe5 100644 --- a/tests/includes/pre_FreeBSD.yml +++ b/tests/includes/pre_FreeBSD.yml @@ -2,23 +2,35 @@ - name: SET_FACT | FreeBSD web user set_fact: - nginx_pkgng_package: 'nginx-devel' + nginx_pkgng_package: 'nginx-full' nginx_user: 'www' nginx_php: - - version: '5.6' + - version: '7.2' sockets: - host: '127.0.0.1' port: 9000 + nginx_load_modules: + - /usr/local/libexec/nginx/ngx_http_geoip_module.so + ngrok_path: '/usr/local/bin/ngrok' - name: PKGNG | Install needed packages pkgng: pkg: "{{ item }}" state: present with_items: - - php56 - curl + - daemonize - fcgiwrap + - GeoIP + - jq - nghttp2 + - php72 + - vim + +- name: COMMAND | Get geoip database + command: geoipupdate.sh + args: + creates: /usr/local/share/GeoIP/GeoIP.dat - name: SERVICE | Force start services service: @@ -29,3 +41,25 @@ with_items: - php-fpm - fcgiwrap + +- name: STAT | Check ports + stat: + path: /usr/ports + register: ports + +- block: + + - name: COMMAND | Get ports + command: portsnap fetch --interactive + + - name: COMMAND | Extract ports + command: portsnap extract + no_log: true + + when: not ports.stat.exists + +- name: SHELL | Install ngrok + shell: make install clean DISABLE_LICENSES=yes + args: + chdir: /usr/ports/security/ngrok + creates: "{{ ngrok_path }}" diff --git a/tests/includes/pre_common.yml b/tests/includes/pre_common.yml new file mode 100644 index 0000000..1b667b2 --- /dev/null +++ b/tests/includes/pre_common.yml @@ -0,0 +1,18 @@ +--- + +- name: SHELL | Start ngrok + shell: daemonize -l /tmp/ngrok {{ ngrok_path }} http 8888 -bind-tls=false + failed_when: false + changed_when: ngrok.stderr.find("Can't lock the lock file") == -1 + register: ngrok + +- name: WAIT_FOR | ngrok started + wait_for: + delay: 2 + port: 4040 + when: ngrok.changed + +- name: SHELL | Get ngrok public address + shell: curl 'http://127.0.0.1:4040/api/tunnels/command_line' | jq '.public_url' | grep -oE '[[:alnum:]]+\.ngrok\.io' + register: ngrok + changed_when: false diff --git a/tests/test.yml b/tests/test.yml index 00a5ffe..fe9d005 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -4,22 +4,29 @@ pre_tasks: - name: INCLUDE | Pre_tasks related to OS version include: "includes/pre_{{ ansible_distribution }}.yml" + + - name: INCLUDE | Pre_tasks common + include: "includes/pre_common.yml" + - name: FILE | Create an internal SSL dir file: path: "{{ int_ansible_ssl_dir }}" state: directory + - name: COPY | Deploy test certificate copy: src: "file/test.crt" dest: "{{ int_ansible_ssl_dir }}/test.crt" + - name: COPY | Deploy test key copy: src: "file/test.key" dest: "{{ int_ansible_ssl_dir }}/test.key" + - name: LINEINFILE | Add all hosts in /etc/hosts lineinfile: - line: "127.0.2.1\t{% for s in nginx_sites %}{% if s.name is string %}{{ s.name }}{% else %}{% for n in s.name %}{{ n }} {% endfor %}{% endif %} {% if s.redirect_from is defined %}{% for rf in s.redirect_from %}{{ rf }} {% endfor %}{% endif %}{% endfor %}" - regexp: '^127\.0\.2' + line: "127.0.0.1\tlocalhost {% for s in nginx_sites %}{% if s.name is string %}{{ s.name }}{% else %}{% for n in s.name %}{{ n }} {% endfor %}{% endif %} {% if s.redirect_from is defined %}{% for rf in s.redirect_from %}{{ rf }} {% endfor %}{% endif %}{% endfor %}" + regexp: '^127\.0\.0\.1' dest: "/etc/hosts" unsafe_writes: yes @@ -122,7 +129,7 @@ -----END CERTIFICATE----- nginx_custom_http: - 'add_header X-ansible 1;' - - 'geoip_country /usr/share/GeoIP/GeoIP.dat;' + - 'geoip_country {% if ansible_distribution == "Debian" %}/usr/share/GeoIP/GeoIP.dat{% else %}/usr/local/share/GeoIP/GeoIP.dat{% endif %};' - 'map $geoip_country_code $allowed_country {' - ' default yes;' - ' MA no;' @@ -414,7 +421,7 @@ failed_when: authbpc.content.find('BackupPC Server Status') == -1 # -------------------------------- -# Nagios (not avaiblable on Debian >= 9) +# Nagios (not avaiblable on Debian >= 9 and not tested on FreeBSD) # -------------------------------- - block: @@ -438,7 +445,7 @@ register: nagios_cgi failed_when: nagios_cgi.content.find('Nagios Event Summary') == -1 - when: ansible_distribution_major_version | version_compare('9', 'lt') + when: ansible_distribution == 'Debian' and ansible_distribution_major_version | version_compare('9', 'lt') # -------------------------------- diff --git a/vars/FreeBSD.yml b/vars/FreeBSD.yml index 18642b1..705f40d 100644 --- a/vars/FreeBSD.yml +++ b/vars/FreeBSD.yml @@ -5,3 +5,5 @@ nginx_etc_dir: '/usr/local/etc/nginx' # Specific sites nginx_nagios_root: '/usr/local/www/nagios' nginx_fcgiwrap_sock: '/var/run/fcgiwrap/fcgiwrap.sock' + +nginx_acmesh_bin: '/usr/local/sbin/acme.sh' diff --git a/vars/main.yml b/vars/main.yml index dc7d2f0..fd637c4 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -32,6 +32,12 @@ nginx_dirs: - dir: "{{ nginx_helper_dir }}" mode: "0755" owner: "root" + - dir: "{{ nginx_etc_dir }}/modules-available" + mode: "0755" + owner: "root" + - dir: "{{ nginx_etc_dir }}/modules-enabled" + mode: "0755" + owner: "root" nginx_templates_no_dir: - '_backuppc'