From 591f2c6bcb4cac2e5ec4a2a0858df5f8bdf25fea Mon Sep 17 00:00:00 2001 From: Emilien Mantel Date: Wed, 28 May 2025 17:56:58 +0200 Subject: [PATCH 1/8] :hammer: Modernize lint config --- .ansible-lint | 4 ---- .config/ansible-lint.yml | 12 ++++++++++++ .gitignore | 3 +++ .yamllint.yml | 2 ++ 4 files changed, 17 insertions(+), 4 deletions(-) delete mode 100644 .ansible-lint create mode 100644 .config/ansible-lint.yml diff --git a/.ansible-lint b/.ansible-lint deleted file mode 100644 index a648d99..0000000 --- a/.ansible-lint +++ /dev/null @@ -1,4 +0,0 @@ ---- - -enable_list: - - fqcn-builtins diff --git a/.config/ansible-lint.yml b/.config/ansible-lint.yml new file mode 100644 index 0000000..c334001 --- /dev/null +++ b/.config/ansible-lint.yml @@ -0,0 +1,12 @@ +--- + +profile: production + +warn_list: [] + +skip_list: [] + +exclude_paths: + - .github/ + - .venv/ + - venv/ diff --git a/.gitignore b/.gitignore index c5864c5..04ef7cf 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,6 @@ *.pyc /tests/hanxhx.php /.idea +/.venv +/venv +/.ansible diff --git a/.yamllint.yml b/.yamllint.yml index 53974a0..a3618d2 100644 --- a/.yamllint.yml +++ b/.yamllint.yml @@ -4,3 +4,5 @@ extends: default rules: line-length: disable + +ignore-from-file: .gitignore From 9a52e83315c9cfa35bce14b6a5e98d2a69f837d4 Mon Sep 17 00:00:00 2001 From: Emilien Mantel Date: Mon, 2 Jun 2025 10:30:32 +0200 Subject: [PATCH 2/8] :alembic: Modernize role - Drop ngrok support - Do not link legacy tests files --- .github/workflows/molecule.yml | 3 +- molecule/_shared/base.yml | 3 + molecule/_shared/converge.yml | 17 +- .../_shared/group_vars/all/main.yml | 24 +- molecule/_shared/prepare.yml | 108 ++++++- molecule/_shared/vars/misc.yml | 259 ----------------- molecule/_shared/verify.yml | 265 +++++++++++++++++- tasks/ssl/acme.yml | 2 +- tests/file/test.crt | 19 -- tests/file/test.key | 28 -- 10 files changed, 376 insertions(+), 352 deletions(-) rename tests/group_vars/all.yml => molecule/_shared/group_vars/all/main.yml (95%) delete mode 100644 molecule/_shared/vars/misc.yml delete mode 100644 tests/file/test.crt delete mode 100644 tests/file/test.key diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml index 37d38de..ea12ae4 100644 --- a/.github/workflows/molecule.yml +++ b/.github/workflows/molecule.yml @@ -32,11 +32,10 @@ jobs: path: "${{ github.repository }}" - name: Molecule - uses: gofrolist/molecule-action@v2.3.19 + uses: gofrolist/molecule-action@v2.7.62 with: molecule_options: --base-config molecule/_shared/base.yml molecule_args: --scenario-name ${{ matrix.scenario }} - molecule_working_dir: "HanXHX/ansible-nginx" continue-on-error: ${{ matrix.allowed-to-fail }} - name: Fake command diff --git a/molecule/_shared/base.yml b/molecule/_shared/base.yml index 0101203..54e7092 100644 --- a/molecule/_shared/base.yml +++ b/molecule/_shared/base.yml @@ -35,5 +35,8 @@ provisioner: converge: ../_shared/converge.yml prepare: ../_shared/prepare.yml verify: ../_shared/verify.yml + inventory: + links: + group_vars: ../_shared/group_vars verifier: name: ansible diff --git a/molecule/_shared/converge.yml b/molecule/_shared/converge.yml index 7f830f0..73a8110 100644 --- a/molecule/_shared/converge.yml +++ b/molecule/_shared/converge.yml @@ -1,20 +1,9 @@ --- -- name: Converge +- name: Converge # noqa: role-name[path] hosts: all gather_facts: true - vars_files: - - vars/misc.yml vars: nginx_debug_role: true - tasks: - - name: SHELL | Get ngrok public address - ansible.builtin.shell: set -o pipefail && curl 'http://127.0.0.1:4040/api/tunnels/command_line' 2> /dev/null | jq -r '.public_url' | cut -d '/' -f 3 - args: - executable: /bin/bash - register: ngrok - changed_when: false - - - name: Include role - ansible.builtin.include_role: - name: "hanxhx.nginx" + roles: + - ../../../ diff --git a/tests/group_vars/all.yml b/molecule/_shared/group_vars/all/main.yml similarity index 95% rename from tests/group_vars/all.yml rename to molecule/_shared/group_vars/all/main.yml index 504657e..d6a86ae 100644 --- a/tests/group_vars/all.yml +++ b/molecule/_shared/group_vars/all/main.yml @@ -42,8 +42,6 @@ nginx_acmesh: true nginx_acmesh_test: true nginx_ssl_pairs: - - name: '{{ ngrok.stdout }}' - acme: true - name: 'test-ssl-selfsigned.local' self_signed: true force: false @@ -236,17 +234,17 @@ nginx_sites: ssl_name: 'test-ssl.local' headers: 'X-Proxy-Protocol': '1' - - name: '{{ ngrok.stdout }}' - proto: ['http', 'https'] - listen_proxy_protocol: [21080] - listen_proxy_protocol_ssl: [21443] - template: '_base' - ssl_name: '{{ ngrok.stdout }}' - headers: - 'X-acme': '1' - - name: 'test-custom-template.local' - custom_template: 'templates/custom_template.conf.j2' - root: '/tmp/custom-template' +# - name: '{{ ngrok.stdout }}' +# proto: ['http', 'https'] +# listen_proxy_protocol: [21080] +# listen_proxy_protocol_ssl: [21443] +# template: '_base' +# ssl_name: '{{ ngrok.stdout }}' +# headers: +# 'X-acme': '1' +# - name: 'test-custom-template.local' +# custom_template: 'templates/custom_template.conf.j2' +# root: '/tmp/custom-template' nginx_php: "{{ [{'upstream_name': 'manual', 'sockets': [{'host': '127.0.0.1', 'port': '9636'}]}] }}" nginx_dh_length: 1024 diff --git a/molecule/_shared/prepare.yml b/molecule/_shared/prepare.yml index 01d50cc..c4dc253 100644 --- a/molecule/_shared/prepare.yml +++ b/molecule/_shared/prepare.yml @@ -3,13 +3,107 @@ - name: Prepare hosts: all gather_facts: true - vars_files: - - vars/misc.yml - tasks: + - name: APT_REPOSITORY | Install backports + ansible.builtin.apt_repository: + repo: 'deb http://httpredir.debian.org/debian {{ ansible_distribution_release }}-backports main' + state: present + when: nginx_backports is defined and nginx_backports - - name: INCLUDE_TASKS | Pre tasks related to OS - ansible.builtin.include_tasks: "../../tests/includes/pre_{{ ansible_os_family }}.yml" + - name: APT | Install needed packages + ansible.builtin.apt: + pkg: "{{ packages }}" + update_cache: true + cache_valid_time: 3600 + state: present + vars: + packages: + - cron + - curl + - daemonize + - jq + - nghttp2 + - strace + - vim + - unzip - - name: INCLUDE_TASKS | Pre_tasks common - ansible.builtin.include_tasks: "../../tests/includes/pre_common.yml" + - name: APT | Install PHP + ansible.builtin.apt: + pkg: "{{ pkgs }}" + update_cache: true + cache_valid_time: 3600 + state: present + vars: + pkgs: + - php-cli + - php-fpm + + - name: SHELL | Get current PHP version # noqa: risky-shell-pipe + ansible.builtin.shell: php --version | awk '/^PHP/ { print $2 }' | grep -o -E '^.{3}' + changed_when: false + register: cur_php_version + + - name: SERVICE | Ensure PHP-FPM is started + ansible.builtin.service: + name: "php{{ cur_php_version.stdout }}-fpm" + state: started + + - name: USER | Create PHP User foo + ansible.builtin.user: + name: foo + system: true + + - name: INCLUDE_ROLE | hanxhx.php + ansible.builtin.include_role: + name: "hanxhx.php" + vars: + php_version: "{{ cur_php_version.stdout }}" + php_autoremove_default_pool: false + php_fpm_poold: + - name: 'hx_unix' + user: 'foo' + php_value: + display_errors: 'Off' + php_admin_value: + memory_limit: '98M' + - name: 'hx_ip' + listen: '127.0.0.1:9636' + + - name: FILE | Create an internal SSL dir + ansible.builtin.file: + path: "{{ int_ansible_ssl_dir }}" + state: directory + mode: 0750 + owner: root + group: root + + - name: COPY | Deploy test cert/key + ansible.builtin.copy: + src: "file/{{ item }}" + dest: "{{ int_ansible_ssl_dir }}/{{ item }}" + mode: 0640 + owner: root + group: root + loop: + - 'test.key' + - 'test.crt' + + - name: COPY | Add all hosts in /etc/hosts + ansible.builtin.copy: + content: | + 127.0.0.1 localhost + {% for s in nginx_sites %} + {% if s.name is string %} + 127.0.0.1 {{ s.name }} + {% else %} + 127.0.0.1 {% for n in s.name %}{{ n }} {% endfor %} + {% endif %} + {% if s.redirect_from is defined %} + 127.0.0.1 {% for rf in s.redirect_from %}{{ rf }} {% endfor %} + {% endif %} + {% endfor %} + dest: "/etc/hosts" + mode: 0644 + owner: root + group: root + unsafe_writes: true diff --git a/molecule/_shared/vars/misc.yml b/molecule/_shared/vars/misc.yml deleted file mode 100644 index 3cbe715..0000000 --- a/molecule/_shared/vars/misc.yml +++ /dev/null @@ -1,259 +0,0 @@ ---- - -# Force SysVinit, since systemd won't work in a Docker container -ansible_service_mgr: "sysvinit" - -# ---------------------------------------- -# Copied from {role_dir}/tests/group_vars/all.yml -# ---------------------------------------- - -# Internal vars -int_ansible_ssl_dir: '/etc/ansible-ssl' -# Role vars -nginx_worker_processes: 1 # Ansible+FreeBSD can't detect CPU number -nginx_apt_package: 'nginx-extras' -nginx_module_packages: ['libnginx-mod-http-headers-more-filter'] -nginx_custom_core: - - 'worker_rlimit_nofile 4242;' - -nginx_upstreams: - - name: 'test' - servers: - - path: '127.0.0.1:80' - max_conns: 150 - weight: 10 - down: false - - name: 'test-absent' - servers: - - path: '127.0.0.1:80' - max_conns: 150 - weight: 10 - down: false - state: 'absent' - -nginx_htpasswd: - - name: 'hello' - description: 'Please login!' - users: - - name: 'hx' - password: 'asdfg' - state: 'absent' - - name: 'hanx' - password: 'qwerty' - - name: 'deleteme' - description: 'Please login!' - users: [] - state: 'absent' - -nginx_acmesh: true -nginx_acmesh_test: true - -nginx_ssl_pairs: - - name: '{{ ngrok.stdout }}' - acme: true - - name: 'test-ssl-selfsigned.local' - self_signed: true - force: false - - name: - - 'test-ssl-predeployed.local' - - 'test-multiple-name.local' # Hack: tests for acme with multiple name, without using acme - dest_key: "{{ int_ansible_ssl_dir }}/test.key" - dest_cert: "{{ int_ansible_ssl_dir }}/test.crt" - - name: 'test-ssl.local' - key: | - -----BEGIN RSA PRIVATE KEY----- - MIIEpAIBAAKCAQEAvavrJWFp3Al2VwRgKx+4Y2mbRRvoxvyd2pyN0xMJ/tCJscaG - 8s60v6WZ9FcCOeMkSI2DXsk4z7pbQdQn0h2GDr/5MOJkPAVWSWEN46tpaLZ3v0zp - 88ZIbnEk1G0PsdFuW/pnLsakPlAMrl1VArFsV6YsatLt30UIYYcRO97StkoOehCx - A5w+XqtfHZeQZ0/DS81633gwYUcMuSTUFZ60r7ge1/m77DTSKg3rTVk5sebP8cjS - +aWHvxP/GyvvDsT+3gjRJx2/5O3JkfH0zaOsaU2Avj0PR0c5rhynrNO/l1k+GJJB - cbBrM+yA8Ofzp4oXUrCfaIq3RuL3Pd+khcKsiwIDAQABAoIBAQCPpAMQ7BUfbosQ - m1+5SOx7XR8Z12kSSX3CcY12rJSFRakB2TeZ6rE38lIFmV82N67iw0kaH4nGx3sU - /3aoyXMc+IXfX5RJYEFYkQfTw5ywkH9fgQAsfZ2dBlK+DVo1cEYDoj9CTW1VQ4pX - Ape+0l8agd5hiBxdWgpe0ctbbARnx584viLiA/iPBDNxKi9zEYw+WP7hSj5QWahr - a09tubcC4L6tjvv8CoZTRSKfCW64vWRDvE6vmA+zJN9Arc1WTYzF1KO1Gybwf8h7 - stJb191smAgGDFhKo0j58ncyAnrS1k4mapm86QQhlfIA6DKvvC0qm3KdQns5b7HM - PyzW0hwBAoGBAO2mTVTOsziom9vtBwM0nRMMEgynR2X3EKMJz2mjcCf66f1F+aQ5 - DvQFM2V8S2s1nGnPh8NKKZ8DxW1NKuR4qx82zeAXpUs9ibHxOnw4YRC485zqc2Wt - fSO1OEDYeKyzWP1nGGtCntYUXzJnWn/wz0mBGKzLKTuLwyFIKx1b7bybAoGBAMxR - N+lT57rX6d4GUqcgNOuWMZ/D8egnE5+hsoiFnHOisRLOgUgBBSy4rwAZx+rdHYT+ - RO11L1PLYEzyvnO0f13R+N7aqKwNXDSzZGA+jb4pjkVidIC2smG/JYKJH5Z+kakw - mwMKP0wdRZJsCaMgScHmWJS8d6Ox/XJJoWrTWTbRAoGAWJlEgVaiaIArwz1F/QLz - gHNik0cWDkSi9jWlFxwwpycbbypUXM5M7dq2g6JoN6sACk6trbgLdlYgl5RKZm06 - VuPGs0H9hOSHXkix5jfasDJT2G9r4D9ixRo9w6cwriobBjYWW3612tgzeYYgrkwn - 655uhZUkZSfA8rqGIGbyZfsCgYAf5WH8G+wmIATTc1s92epJCOZwUY+XNVp75itP - 4sPczX4lOHW4PuiG5cH0GxI5mRE9rNAn3c5on2xGNvMCbyAfDmNyruH8Eg3d8E9w - MvO/xw79x/P2EA9i8QszCKMUxGeK6RqZ6+SbxkoRJKqQe77n9UTI228179hoGhSH - 77ySsQKBgQC8SSZn6a8PpSIIFXB9WCFMwfGFYbUz0wvpaeZP8GKx3BEzMeJqSUaJ - hrQgpwQXkueeamlCQcvV3AUCoBRWTYRLDrWiUIXuIgikDWBFp6TBvTnVRI7iktly - fNED7jXOSjJqnFmdkZlAI5V8dM++mVYVykJD6jcaVRQvxqFLrhSaRg== - -----END RSA PRIVATE KEY----- - cert: | - -----BEGIN CERTIFICATE----- - MIIDBTCCAe2gAwIBAgIJALKJfbk5vuieMA0GCSqGSIb3DQEBBQUAMBkxFzAVBgNV - BAMMDnRlc3Qtc3NsLmxvY2FsMB4XDTE2MDExMTE2NDI0NFoXDTI2MDEwODE2NDI0 - NFowGTEXMBUGA1UEAwwOdGVzdC1zc2wubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUA - A4IBDwAwggEKAoIBAQC9q+slYWncCXZXBGArH7hjaZtFG+jG/J3anI3TEwn+0Imx - xobyzrS/pZn0VwI54yRIjYNeyTjPultB1CfSHYYOv/kw4mQ8BVZJYQ3jq2lotne/ - TOnzxkhucSTUbQ+x0W5b+mcuxqQ+UAyuXVUCsWxXpixq0u3fRQhhhxE73tK2Sg56 - ELEDnD5eq18dl5BnT8NLzXrfeDBhRwy5JNQVnrSvuB7X+bvsNNIqDetNWTmx5s/x - yNL5pYe/E/8bK+8OxP7eCNEnHb/k7cmR8fTNo6xpTYC+PQ9HRzmuHKes07+XWT4Y - kkFxsGsz7IDw5/OnihdSsJ9oirdG4vc936SFwqyLAgMBAAGjUDBOMB0GA1UdDgQW - BBRaSF1L+ivPhmIVGQjtviBqZWDS9DAfBgNVHSMEGDAWgBRaSF1L+ivPhmIVGQjt - viBqZWDS9DAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQCjrgB9+Zuq - Rx7T2mRUl4jf75dLabuBQD0ePALTtvNyBSghhzSr90mE7GlFOYAv0JsmEa3R1LVF - wLPIdrIhNHpt7hN0PkhUlfgmxBnRSCfhpiq4xxsDVFM7ehtDz4+dv1LUDMXo07+E - f24g9aqmypiFzHisUQrYIhtQmHxRpKyGp6kDAW9qNxg6k/Um00aHdYfuD9ER4ksR - f8Hto7f+vssKxCRY2OZXqq13PxEwC5+hgAUkTdrycA/moXFuHJi3lCnCND7sSzvG - tXBggOusyFZFC4bs2m+V+Z+RN+tK2c/c0nq5HR8MV5HwIm4Z8GoT2/0BfJ00cgWL - lVz0gDBfdH8f - -----END CERTIFICATE----- - -nginx_custom_http: - - 'add_header X-ansible 1;' - - 'geoip_country {% if ansible_os_family == "Debian" %}/usr/share/GeoIP/GeoIP.dat{% else %}/usr/local/share/GeoIP/GeoIP.dat{% endif %};' - - 'map $geoip_country_code $allowed_country {' - - ' default yes;' - - ' MA no;' - - ' DZ no;' - - ' TN no;' - - '}' - -nginx_default_site: 'test.local' -nginx_default_site_ssl: 'test-ssl-predeployed.local' - -nginx_sites: - - name: - - 'test.local' - - 'test-alias.local' - - 'test2-alias.local' - template: '_base' - filename: 'first-test' - override_try_files: '$uri/ $uri =404' - headers: - 'X-Frame-Options': 'deny always' - 'X-ansible-default': '1' - manage_local_content: false - use_error_log: true - more: - - 'autoindex off;' - location: - '/test': - - 'return 403;' - '/gunther': - - 'return 404;' - '/status': - - 'stub_status on;' - - 'access_log off;' - - 'allow 127.0.0.1;' - - 'deny all;' - - name: 'test-htpasswd.local' - template: '_base' - location_before: - '/hello': - - htpasswd: 'hello' - location: - '/public': - - htpasswd: false - use_error_log: true - - name: 'test-htpasswd-all.local' - template: '_base' - htpasswd: 'hello' - - name: 'test-location.local' - template: '_base' - location_before: - '/b': - - 'alias /var/tmp;' - '/c': - - 'alias /var/tmp;' - location: - '/': - - 'alias /var/tmp;' - '/a': - - 'alias /var/tmp;' - location_order_before: - - '/b' - - '/c' - location_order: - - '/' - - '/a' - - name: 'test-php.local' - php_upstream: "manual" - upstream_params: - - 'fastcgi_param FOO bar;' - redirect_from: - - 'www.test-php.local' - template: '_php' - use_error_log: true - use_access_log: true - - name: 'test-php-index.local' - template: '_php_index' - php_upstream: 'hx_unix' - - name: 'test-php-index2.local' - template: '_php_index2' - php_upstream: 'hx_ip' - - name: 'test-proxy.local' - listen: - - 8080 - template: '_proxy' - upstream_name: 'test' - headers: - 'X-proxyfied': '1' - - name: 'deleted.local' - state: 'absent' - - name: 'redirect-to.local' - redirect_to: 'http://test.local' - - name: 'test-ssl.local' - proto: ['http', 'https'] - template: '_base' - - name: - - 'test-ssl-selfsigned.local' - - 'www.test-ssl-selfsigned.local' - proto: ['http', 'https'] - template: '_base' - hsts: 'max-age=1664;' - - name: 'test-ssl-predeployed.local' - proto: ['http', 'https'] - template: '_base' - ssl_name: 'test-ssl-predeployed.local' - headers: - 'X-ansible-default': '1' - ssl_template: false - - name: 'test-ssl-redirect.local' - proto: ['https'] - template: '_base' - ssl_name: 'test-ssl.local' - redirect_https: true - - name: - - 'test-ssl-redirect-many.local' - - 'test-ssl-redirect-many2.local' - listen_ssl: [8443] - proto: ['https'] - template: '_base' - ssl_name: 'test-ssl.local' - redirect_https: true - redirect_from: - - 'www.test-ssl-redirect-many.local' - - 'www.test-ssl-redirect-many2.local' - - name: 'test-ssl-proxy-protocol.local' - proto: ['http', 'https'] - listen_proxy_protocol: [20080] - listen_proxy_protocol_ssl: [20443] - template: '_base' - ssl_name: 'test-ssl.local' - headers: - 'X-Proxy-Protocol': '1' - - name: '{{ ngrok.stdout }}' - proto: ['http', 'https'] - listen_proxy_protocol: [21080] - listen_proxy_protocol_ssl: [21443] - template: '_base' - ssl_name: '{{ ngrok.stdout }}' - headers: - 'X-acme': '1' - - name: 'test-custom-template.local' - custom_template: 'templates/custom_template.conf.j2' - root: '/tmp/custom-template' - -nginx_php: "{{ [{'upstream_name': 'manual', 'sockets': [{'host': '127.0.0.1', 'port': '9636'}]}] }}" -nginx_dh_length: 1024 diff --git a/molecule/_shared/verify.yml b/molecule/_shared/verify.yml index b12fc8a..2f14efc 100644 --- a/molecule/_shared/verify.yml +++ b/molecule/_shared/verify.yml @@ -3,17 +3,264 @@ - name: Verify hosts: all gather_facts: true - vars_files: - - vars/misc.yml vars: nginx_root: "/srv/www" tasks: - - name: SHELL | Get ngrok public address - ansible.builtin.shell: set -o pipefail && curl 'http://127.0.0.1:4040/api/tunnels/command_line' 2> /dev/null | jq -r '.public_url' | cut -d '/' -f 3 - args: - executable: /bin/bash - register: ngrok + # -------------------------------- + # Deploy index files + # -------------------------------- + - name: -- Add PHP file -- + ansible.builtin.copy: + dest: "{{ nginx_root }}/{{ item }}/public/index.php" + content: " + item.template is defined and + (item.template == '_php' or item.template == '_php_index' or item.template == '_php_index2') + failed_when: p.content.find('PHP Version') == -1 + + - name: -- VERIFY INDEX2 -- + ansible.builtin.uri: + url: "http://test-php-index2.local/lorem.php?ipsum=sit&dolor=amet" + return_content: true + register: p2 + failed_when: p2.content.find('PHP Version') == -1 + + # -------------------------------- + # Basic Auth + # -------------------------------- + - name: -- VERIFY AUTH BASIC NONE -- + ansible.builtin.uri: + url: "http://test-htpasswd.local/hello/" + status_code: 401 + + - name: -- VERIFY AUTH BASIC FAIL -- + ansible.builtin.uri: + url: "http://test-htpasswd.local/hello/" + status_code: 401 + user: "fail" + password: "fail" + force_basic_auth: true + + - name: -- VERIFY AUTH BASIC OK -- + ansible.builtin.uri: + url: "http://test-htpasswd.local/hello/" + user: "hanx" + password: "qwerty" + force_basic_auth: true + + - name: -- VERIFY AUTH BASIC FAIL GLOBAL -- + ansible.builtin.uri: + url: "http://test-htpasswd-all.local/" + status_code: 401 + user: "fail" + password: "fail" + force_basic_auth: true + + - name: -- VERIFY AUTH BASIC OK GLOBAL -- + ansible.builtin.uri: + url: "http://test-htpasswd-all.local/" + user: "hanx" + password: "qwerty" + force_basic_auth: true + + # -------------------------------- + # SSL + # -------------------------------- + - name: -- VERIFY SSL -- + ansible.builtin.uri: + url: "https://{{ item }}/" + return_content: true + validate_certs: false + register: sslok + failed_when: sslok.content.find('Index HTML test OK') == -1 + loop: + - 'test-ssl-predeployed.local' + - 'test-ssl-selfsigned.local' + - 'test-ssl.local' + + - name: -- VERIFY SSL REDIRECT -- + ansible.builtin.uri: + url: "http://{{ item.name }}/" + validate_certs: false + status_code: 301 + return_content: true + follow_redirects: none + register: sslredirok + failed_when: '"https://%s%s" % (item.name, ":" + item.port if item.port is defined else "") not in sslredirok.location' + loop: + - name: 'test-ssl-redirect.local' + - name: 'test-ssl-redirect-many.local' + port: '8443' + - name: 'test-ssl-redirect-many2.local' + port: '8443' + + # -------------------------------- + # Default sites + # -------------------------------- + - name: -- VERIFY DEFAULT SITE -- + ansible.builtin.uri: + url: 'http://127.0.0.1/' + return_content: true + register: vdefault + failed_when: > + vdefault.content.find('Index HTML test OK') == -1 or + vdefault.x_ansible_default is not defined + + - name: -- VERIFY DEFAULT SITE + STUB STATUS-- + ansible.builtin.uri: + url: 'http://127.0.0.1/status' + return_content: true + register: vdefault_status + failed_when: > + vdefault_status.content.find('Active connections') == -1 or + vdefault_status.x_ansible_default is not defined + + - name: -- VERIFY DEFAULT SSL SITE -- + ansible.builtin.uri: + url: 'https://127.0.0.1/' + return_content: true + validate_certs: false + register: vdefault + failed_when: > + vdefault.content.find('Index HTML test OK') == -1 or + vdefault.x_ansible_default is not defined + + - name: -- VERIFY NOT DEFAULT SITE -- + ansible.builtin.uri: + url: 'http://test-php.local/' + return_content: true + register: vphp + failed_when: vphp.x_ansible_default is defined + + - name: -- VERIFY NOT DEFAULT SSL SITE -- + ansible.builtin.uri: + url: 'https://test-ssl.local/' + return_content: true + validate_certs: false + register: notdefaultssl + failed_when: notdefaultssl.x_ansible_default is defined + + # -------------------------------- + # Check Proxy protocol + # -------------------------------- + - name: SHELL | Check HTTP proxy protocol + ansible.builtin.shell: set -o pipefail && curl -I --haproxy-protocol http://test-ssl-proxy-protocol.local:20080 | grep -qi 'X-Proxy-Protocol' + args: + executable: /bin/bash + changed_when: false + + - name: SHELL | Check HTTPS proxy protocol + ansible.builtin.shell: set -o pipefail && curl -I --haproxy-protocol -k https://test-ssl-proxy-protocol.local:20443 | grep -qi 'X-Proxy-Protocol' + args: + executable: /bin/bash + changed_when: false + + # -------------------------------- + # Check HTTP2 + # -------------------------------- + - name: SHELL | Check HTTP2 + ansible.builtin.shell: set -o pipefail && nghttp -nv https://localhost 2> /dev/null | grep -q h2 + args: + executable: /bin/bash + changed_when: false diff --git a/tasks/ssl/acme.yml b/tasks/ssl/acme.yml index 74f0d5e..de881e6 100644 --- a/tasks/ssl/acme.yml +++ b/tasks/ssl/acme.yml @@ -13,7 +13,7 @@ - name: SET_FACT | Assign var with certificates to create ansible.builtin.set_fact: - acme_create: "{{ acme_create | default([]) + [(item.item)] }}" + acme_create: "{{ acme_create | default([]) + [item.item] }}" loop: "{{ acme_installed_certs.results }}" when: item.skipped is not defined and (not item.stat.exists or item.stat.size == 0) diff --git a/tests/file/test.crt b/tests/file/test.crt deleted file mode 100644 index 363d156..0000000 --- a/tests/file/test.crt +++ /dev/null @@ -1,19 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDHTCCAgWgAwIBAgIJAJzUwbFlhyxIMA0GCSqGSIb3DQEBCwUAMCUxIzAhBgNV -BAMMGnRlc3Qtc3NsLXByZWRlcGxveWVkLmxvY2FsMB4XDTE2MDExMjE2MDUxNVoX -DTI2MDEwOTE2MDUxNVowJTEjMCEGA1UEAwwadGVzdC1zc2wtcHJlZGVwbG95ZWQu -bG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDm4q94vffiU89G -GO7rjDfr3C32tH9sM5sXqJT+7N5BLYLF0iSRIvy33MtwFu//TV3f+8nLlQuHYVVk -L6NEvaL8lh+nRexCQ/y+aXMh7lMhuwPXGgPR1LXsTqyDXbmV9c7k/Kwx5qHAcOb9 -d9YzmcOSO4M9v3WMl/4Zw2J7zNYruypxNBgFEwFx3NJ3AztACMYoVOIR5mS8ARX6 -xea4ddii1F41Vch+eiCGP9VZwDhEujhjy9PXvdBtYNwggM6d82Df9wwaFyIW5DU4 -PhpgAngvE2keY0GLy/LaXa6LAW+TCfPMRT2RtDuvqWr+useWF+O3n81TZqM/G7LV -9iPxkkRNAgMBAAGjUDBOMB0GA1UdDgQWBBSzXW5UY02/S0xrrobZCVOhas6VeDAf -BgNVHSMEGDAWgBSzXW5UY02/S0xrrobZCVOhas6VeDAMBgNVHRMEBTADAQH/MA0G -CSqGSIb3DQEBCwUAA4IBAQC0+Tr0w9aG4f3LG3+WRGKfMopKICNEkA7JrPrvVUq8 -7UgtdrpOUZAL5AKxVVo1rHDdoL/VpjdqHdhyPzaSUl8hppCFsWmdQh4wLKGoyvcN -AqSGpXTeLSoFJ357F2OIQpXm2lfT2fVGebwyCNFkwpp7klFnmOusSl2/v5Y5cz+A -WvWrDg3jsNglx3mNLVcjbOSnen2PsZSmcVo27D0el6oDju8jjstyJ+Dvu0WP+CDL -s/VolFdbei7d4r2dj86OZ/BCZurltyc0wI3NMOdUuA7q4f1MPTRu7qr/ua5ItK92 -Avc+Gjn/Y/aIhzKpPicJQDK6FzxjfhCc8xtk0EjB4IpP ------END CERTIFICATE----- diff --git a/tests/file/test.key b/tests/file/test.key deleted file mode 100644 index 7fbe267..0000000 --- a/tests/file/test.key +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDm4q94vffiU89G -GO7rjDfr3C32tH9sM5sXqJT+7N5BLYLF0iSRIvy33MtwFu//TV3f+8nLlQuHYVVk -L6NEvaL8lh+nRexCQ/y+aXMh7lMhuwPXGgPR1LXsTqyDXbmV9c7k/Kwx5qHAcOb9 -d9YzmcOSO4M9v3WMl/4Zw2J7zNYruypxNBgFEwFx3NJ3AztACMYoVOIR5mS8ARX6 -xea4ddii1F41Vch+eiCGP9VZwDhEujhjy9PXvdBtYNwggM6d82Df9wwaFyIW5DU4 -PhpgAngvE2keY0GLy/LaXa6LAW+TCfPMRT2RtDuvqWr+useWF+O3n81TZqM/G7LV -9iPxkkRNAgMBAAECggEAEEeZkczrRpUcP1gQuKEZbFMJFqUhevKkk+V6JAN1pGje -GK65j1ZFNX2nBo9Hetvsq5doYidvOat+RuMpAvbQIDlBoBzJDN8YWiC7UoAocm9q -VOdrr4btEO13MogQRuefH/xE8/vMGfKcBvFFNDw6UvxJQ7hVRIWPECf7sLj/vPOC -OpMKghxcabQqidMPKyyHVPhQjuIvqW/SqBFpD+Ul0Ja1QGdx+p+/EwVmXnei6Kr8 -/ypULreHqIlBLD6McfFehxDV0m5U7qXb5xK3zdUurIhZixKLjbdRrorNInfEvlOh -vDy+hsF5GSzvn9dRrMAy/QcRPpXU47VNYZ5BfdCBTQKBgQD8VCbdpG5siXSlIjZd -xypgK1ttp8udTPWC1trnAc+Ku9O+cGmvABxYJA1iR/GDpSfMxglB7OhSecywKrr+ -S7Yjs9e/dyBmvF7U15JJaGp+db2Ct64z7MvqkwSJ5a0qrrZJRFetDdqdH9FPvURs -B147jbKsPiGcljjXbZlOBHJH9wKBgQDqPqoA3VqYOmvR7Ei8/skY2EOpFpOhSNko -ARFwUsDNHRk677URH97TCHq5UrwubfCeIcIptXHrMfaTsfq8vPLPykReIMRaknxf -DULJPHSoeBLrCAZmaWF1JVyYhrLhHNAzQ3u7a/kYIJm87FEZy3Ml6FSZmIGbRBqx -zqZYKoHs2wKBgQD469tbk7cLg556uYGAidYYAS20w29uwlkAtgxFD9g6OIjuud7I -MQfFO+uoJOjwwaC9ti+zxY56roVq1PybmP0Zw3T3AQIJ15KFzhQWLte/4U8PATzt -JJEV2+sCTn3COZDCPpVvttcPYjAOxdwV5j7j6Sl2GeT2oIt6mjg+asyCiQKBgQDk -LPxu8TBRfv8OMqs8Jrf/EpL9/7b48bxOwpOZJZMXelPcXCm1r6TfTrA1HAmg9Ijh -kKLQ/CUm5Ll7b3B+L1Qa4r2sLyD11SF/eaxn2BMPFD/hYCTT160ObsF+9h8DN4z7 -kq3RiMDRJth69nuds9fLwj++ipcdhr62G0VgNq/u5wKBgCz/I5J3tPNjrU9YampR -0gNnUkUfJWbiVMsG9uwL9l0L/ZzQHvELJ523QXQ0v/e/szHCyoX319u8HEQlC0Jw -Twlj81HDZzruDUB/mcH6Ee3zHKOmmF6ma+CgoYJJElKW89MUttPdmkH2J1QqLz+7 -EGREwqjr8/wm22DzKNiyDXJ0 ------END PRIVATE KEY----- From 1aaf0351b4d657fdd46c5c78ff9f71973640d433 Mon Sep 17 00:00:00 2001 From: Emilien Mantel Date: Mon, 2 Jun 2025 10:35:34 +0200 Subject: [PATCH 3/8] :fire: Drop FreeBSD support --- README.md | 14 +----- defaults/main.yml | 2 - doc/freebsd.md | 12 ----- meta/main.yml | 7 +-- molecule/_shared/group_vars/all/main.yml | 2 +- tasks/install/FreeBSD.yml | 59 ------------------------ vars/FreeBSD.yml | 7 --- 7 files changed, 4 insertions(+), 99 deletions(-) delete mode 100644 doc/freebsd.md delete mode 100644 tasks/install/FreeBSD.yml delete mode 100644 vars/FreeBSD.yml diff --git a/README.md b/README.md index 7073d9f..2c7dc19 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,9 @@ -Nginx for Debian/FreeBSD Ansible role +Nginx for Debian/Ubuntu Ansible role ===================================== [![Ansible Galaxy](http://img.shields.io/badge/ansible--galaxy-HanXHX.nginx-blue.svg)](https://galaxy.ansible.com/HanXHX/nginx/) ![GitHub Workflow Status (master branch)](https://img.shields.io/github/actions/workflow/status/hanxhx/ansible-nginx/molecule.yml?branch=master) -Install and configure Nginx on Debian/FreeBSD. +Install and configure Nginx on Debian/Ubuntu. Features: @@ -27,8 +27,6 @@ Supported OS: | Debian Buster (10) | Yes | Yes | | Debian Bullseye (11) | Yes | Yes | | Debian Bookworm (12) | Yes | Not yet :) | -| FreeBSD 11 | NA | No | -| FreeBSD 12 | NA | No | | Ubuntu 20.04 | Yes | Yes | | Ubuntu 22.04 | Yes | Yes | @@ -48,10 +46,6 @@ Debian: - `nginx_apt_package`: APT nginx package (try: apt-cache search ^nginx) - `nginx_backports`: Install nginx from backport repository (bool) -FreeBSD: - -- `nginx_pkgng_package`: PKGNG nginx package (should be "nginx" or "nginx-devel") - ### Shared - `nginx_root`: root directory where you want to have your files @@ -72,7 +66,6 @@ FreeBSD: - `nginx_custom_core`: instructions list (for core, will put data in `/etc/nginx/nginx.conf`) - `nginx_custom_http`: instructions list (will put data in `/etc/nginx/conf.d/custom.conf`) - `nginx_module_packages`: package list module to install (Debian) -- `nginx_load_modules`: module list to load (full path), should be used only on FreeBSD ### Misc @@ -96,15 +89,12 @@ Fine configuration [Basic Auth](doc/auth.md) -[FreeBSD](doc/freebsd.md) - [acme.sh](doc/acme.md) Note ---- - Active support for Debian/Ubuntu. -- FreeBSD support is experimental. I only test (for the moment) 10.2 (but it can work on other versions). Dependencies ------------ diff --git a/defaults/main.yml b/defaults/main.yml index c83c350..1250c93 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -3,8 +3,6 @@ # Debian nginx_apt_package: nginx-full nginx_backports: false -# FreeBSD -nginx_pkgng_package: nginx # # Nginx shared variables diff --git a/doc/freebsd.md b/doc/freebsd.md deleted file mode 100644 index 8a1c40d..0000000 --- a/doc/freebsd.md +++ /dev/null @@ -1,12 +0,0 @@ -Freebsd -======= - -Limitations ------------ - -Due to Ansible + FreeBSD limitations (`ansible_processor_vcpus`), You must explicitely set `nginx_worker_processes`. - -About modules -------------- - -Dynamic modules must be set with full path (see `nginx_load_modules` path). diff --git a/meta/main.yml b/meta/main.yml index 7445dcc..3056cf6 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -4,7 +4,7 @@ galaxy_info: author: Emilien Mantel namespace: hanxhx role_name: nginx - description: Nginx for Debian / FreeBSD + description: Nginx for Debian / Ubuntu company: TripleStack license: GPLv2 min_ansible_version: '2.11' @@ -18,11 +18,6 @@ galaxy_info: versions: - focal - jammy - - name: FreeBSD - versions: - - '11.0' - - '11.1' - - '12.0' galaxy_tags: - web - debian diff --git a/molecule/_shared/group_vars/all/main.yml b/molecule/_shared/group_vars/all/main.yml index d6a86ae..87d7417 100644 --- a/molecule/_shared/group_vars/all/main.yml +++ b/molecule/_shared/group_vars/all/main.yml @@ -3,7 +3,7 @@ # Internal vars int_ansible_ssl_dir: '/etc/ansible-ssl' # Role vars -nginx_worker_processes: 1 # Ansible+FreeBSD can't detect CPU number +nginx_worker_processes: 1 # Ansible can't detect CPU count nginx_apt_package: 'nginx-extras' nginx_module_packages: ['libnginx-mod-http-headers-more-filter'] nginx_custom_core: diff --git a/tasks/install/FreeBSD.yml b/tasks/install/FreeBSD.yml deleted file mode 100644 index f0784a6..0000000 --- a/tasks/install/FreeBSD.yml +++ /dev/null @@ -1,59 +0,0 @@ ---- - -- name: PKGNG | Install nginx and related tools - community.general.pkgng: - name: "{{ item }}" - state: present - loop: - - acme.sh - - "{{ nginx_pkgng_package }}" - - py27-passlib - - curl - -# -# Bypass https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=224166#c1 -# -- name: Bypass https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=224166#c1 - when: true - block: - - - name: COMMAND | Create /usr/local/etc/fdfs/http.conf - ansible.builtin.command: touch /usr/local/etc/fdfs/http.conf - args: - creates: /usr/local/etc/fdfs/http.conf - notify: Restart nginx - - - name: LINEINFILE | Tune fdfs - ansible.builtin.lineinfile: - regexp: ^load_fdfs_parameters_from_tracker - line: load_fdfs_parameters_from_tracker=false - path: /usr/local/etc/fdfs/mod_fastdfs.conf - notify: Restart nginx - - - name: META | Flush handlers (Restart nginx when fdfs is tuned) - ansible.builtin.meta: flush_handlers - -- name: FILE | Create configuration dir (like Debian) - ansible.builtin.file: - path: "{{ nginx_etc_dir }}/{{ item }}" - state: directory - mode: 0755 - owner: root - group: root - loop: - - conf.d - - sites-available - - sites-enabled - -- name: FILE | Create log directory - ansible.builtin.file: - path: "{{ nginx_log_dir }}" - owner: "{{ nginx_user }}" - group: wheel - mode: 0755 - state: directory - -- name: SERVICE | Enable nginx - ansible.builtin.service: - name: nginx - enabled: true diff --git a/vars/FreeBSD.yml b/vars/FreeBSD.yml deleted file mode 100644 index f1273e8..0000000 --- a/vars/FreeBSD.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -nginx_events_use: 'kqueue' -nginx_pid: '/var/run/nginx.pid' -nginx_etc_dir: '/usr/local/etc/nginx' - -nginx_acmesh_bin: '/usr/local/sbin/acme.sh' From 8ec630284a8c5829c9c66b908486a4cdee11e403 Mon Sep 17 00:00:00 2001 From: Emilien Mantel Date: Mon, 2 Jun 2025 10:42:54 +0200 Subject: [PATCH 4/8] :fire: Drop legacy test suite --- README.md | 14 -- Vagrantfile | 87 -------- tests/includes/post_Debian.yml | 1 - tests/includes/post_FreeBSD.yml | 1 - tests/includes/post_common.yml | 262 ------------------------ tests/includes/pre_Debian.yml | 82 -------- tests/includes/pre_FreeBSD.yml | 66 ------ tests/includes/pre_common.yml | 59 ------ tests/templates/custom_template.conf.j2 | 16 -- tests/test.yml | 20 -- 10 files changed, 608 deletions(-) delete mode 100644 Vagrantfile delete mode 100644 tests/includes/post_Debian.yml delete mode 100644 tests/includes/post_FreeBSD.yml delete mode 100644 tests/includes/post_common.yml delete mode 100644 tests/includes/pre_Debian.yml delete mode 100644 tests/includes/pre_FreeBSD.yml delete mode 100644 tests/includes/pre_common.yml delete mode 100644 tests/templates/custom_template.conf.j2 delete mode 100644 tests/test.yml diff --git a/README.md b/README.md index 2c7dc19..00dd1b6 100644 --- a/README.md +++ b/README.md @@ -102,15 +102,6 @@ Dependencies See: [requirements.yml](requirements.yml). -If you need to dev this role locally on Vagrant ------------------------------------------------- - -Before use vagrant, run once: - -```commandline -ansible-galaxy install -p ./tests/ HanXHX.php,master -``` - If you need to dev this role locally with molecule -------------------------------------------------- @@ -122,11 +113,6 @@ With `debian-12` scenario: molecule -v -c molecule/_shared/base.yml verify -s debian-12 ``` -Example Playbook ----------------- - -See [tests/test.yml](tests/test.yml). - License ------- diff --git a/Vagrantfile b/Vagrantfile deleted file mode 100644 index 8cf523b..0000000 --- a/Vagrantfile +++ /dev/null @@ -1,87 +0,0 @@ -# -*- mode: ruby -*- -# vi: set ft=ruby : -# vi: set tabstop=2 : -# vi: set shiftwidth=2 : - -Vagrant.configure("2") do |config| - - vms_debian = [ - { :name => "debian-buster", :box => "debian/buster64", :vars => {} }, - { :name => "debian-bullseye", :box => "debian/bullseye64", :vars => {} } - ] - - vms_freebsd = [ - { :name => "freebsd-11", :box => "freebsd/FreeBSD-11.3-STABLE", :vars => {} }, - { :name => "freebsd-12", :box => "freebsd/FreeBSD-12.1-STABLE", :vars => {} } - ] - - conts = [ - { :name => "docker-debian-buster", :docker => "hanxhx/vagrant-ansible:debian10", :vars => {} }, - { :name => "docker-debian-bullseye", :docker => "hanxhx/vagrant-ansible:debian11", :vars => {} }, - ] - - config.vm.network "private_network", type: "dhcp" - config.vm.synced_folder ".", "/vagrant", id: "vagrant-root", disabled: true - - conts.each do |opts| - config.vm.define opts[:name] do |m| - m.vm.provider "docker" do |d| - d.image = opts[:docker] - d.remains_running = true - d.has_ssh = true - end - - if opts[:name].include? "bullseye" - m.vm.provision "shell", inline: "[ -f '/root/first_provision' ] || (apt-get update -qq && apt-get -y dist-upgrade && touch /root/first_provision)" - end - - m.vm.provision "ansible" do |ansible| - ansible.playbook = "tests/test.yml" - ansible.verbose = 'vv' - ansible.become = true - ansible.extra_vars = opts[:vars].merge({ "nginx_debug_role": true, is_docker: true }) - end - end - end - - vms_debian.each do |opts| - config.vm.define opts[:name] do |m| - m.vm.box = opts[:box] - m.vm.provider "virtualbox" do |v| - v.cpus = 1 - v.memory = 256 - end - - if opts[:name].include? "bullseye" - m.vm.provision "shell", inline: "[ -f '/root/first_provision' ] || (apt-get update -qq && apt-get -y dist-upgrade && touch /root/first_provision)" - end - - m.vm.provision "ansible" do |ansible| - ansible.playbook = "tests/test.yml" - ansible.verbose = 'vv' - ansible.become = true - ansible.extra_vars = opts[:vars].merge({ "nginx_debug_role": true }) - end - end - end - - vms_freebsd.each do |opts| - config.vm.base_mac = "080027D14C66" - config.vm.define opts[:name] do |m| - m.vm.box = opts[:box] - m.vm.provider "virtualbox" do |v, override| - override.ssh.shell = "csh" - v.cpus = 2 - v.memory = 512 - end - m.vm.provision "shell", inline: "[ -e /usr/local/bin/bash ] || pkg install -y python bash" - m.vm.provision "ansible" do |ansible| - ansible.playbook = "tests/test.yml" - ansible.verbose = 'vv' - ansible.become = true - ansible.extra_vars = opts[:vars].merge({ "nginx_debug_role": true, "ansible_python_interpreter": '/usr/local/bin/python' }) - end - end - end - -end diff --git a/tests/includes/post_Debian.yml b/tests/includes/post_Debian.yml deleted file mode 100644 index ed97d53..0000000 --- a/tests/includes/post_Debian.yml +++ /dev/null @@ -1 +0,0 @@ ---- diff --git a/tests/includes/post_FreeBSD.yml b/tests/includes/post_FreeBSD.yml deleted file mode 100644 index ed97d53..0000000 --- a/tests/includes/post_FreeBSD.yml +++ /dev/null @@ -1 +0,0 @@ ---- diff --git a/tests/includes/post_common.yml b/tests/includes/post_common.yml deleted file mode 100644 index 275ee43..0000000 --- a/tests/includes/post_common.yml +++ /dev/null @@ -1,262 +0,0 @@ ---- - -# -------------------------------- -# Deploy index files -# -------------------------------- -- name: -- Add PHP file -- - ansible.builtin.copy: - dest: "{{ nginx_root }}/{{ item }}/public/index.php" - content: " - item.template is defined and - (item.template == '_php' or item.template == '_php_index' or item.template == '_php_index2') - failed_when: p.content.find('PHP Version') == -1 - -- name: -- VERIFY INDEX2 -- - ansible.builtin.uri: - url: "http://test-php-index2.local/lorem.php?ipsum=sit&dolor=amet" - return_content: true - register: p2 - failed_when: p2.content.find('PHP Version') == -1 - -# -------------------------------- -# Basic Auth -# -------------------------------- -- name: -- VERIFY AUTH BASIC NONE -- - ansible.builtin.uri: - url: "http://test-htpasswd.local/hello/" - status_code: 401 - -- name: -- VERIFY AUTH BASIC FAIL -- - ansible.builtin.uri: - url: "http://test-htpasswd.local/hello/" - status_code: 401 - user: "fail" - password: "fail" - force_basic_auth: true - -- name: -- VERIFY AUTH BASIC OK -- - ansible.builtin.uri: - url: "http://test-htpasswd.local/hello/" - user: "hanx" - password: "qwerty" - force_basic_auth: true - -- name: -- VERIFY AUTH BASIC FAIL GLOBAL -- - ansible.builtin.uri: - url: "http://test-htpasswd-all.local/" - status_code: 401 - user: "fail" - password: "fail" - force_basic_auth: true - -- name: -- VERIFY AUTH BASIC OK GLOBAL -- - ansible.builtin.uri: - url: "http://test-htpasswd-all.local/" - user: "hanx" - password: "qwerty" - force_basic_auth: true - -# -------------------------------- -# SSL -# -------------------------------- -- name: -- VERIFY SSL -- - ansible.builtin.uri: - url: "https://{{ item }}/" - return_content: true - validate_certs: false - register: sslok - failed_when: sslok.content.find('Index HTML test OK') == -1 - loop: - - 'test-ssl-predeployed.local' - - 'test-ssl-selfsigned.local' - - 'test-ssl.local' - - '{{ ngrok.stdout }}' - -- name: -- VERIFY SSL REDIRECT -- - ansible.builtin.uri: - url: "http://{{ item.name }}/" - validate_certs: false - status_code: 301 - return_content: true - follow_redirects: none - register: sslredirok - failed_when: '"https://%s%s" % (item.name, ":" + item.port if item.port is defined else "") not in sslredirok.location' - loop: - - name: 'test-ssl-redirect.local' - - name: 'test-ssl-redirect-many.local' - port: '8443' - - name: 'test-ssl-redirect-many2.local' - port: '8443' - -# -------------------------------- -# Default sites -# -------------------------------- -- name: -- VERIFY DEFAULT SITE -- - ansible.builtin.uri: - url: 'http://127.0.0.1/' - return_content: true - register: vdefault - failed_when: > - vdefault.content.find('Index HTML test OK') == -1 or - vdefault.x_ansible_default is not defined - -- name: -- VERIFY DEFAULT SITE + STUB STATUS-- - ansible.builtin.uri: - url: 'http://127.0.0.1/status' - return_content: true - register: vdefault_status - failed_when: > - vdefault_status.content.find('Active connections') == -1 or - vdefault_status.x_ansible_default is not defined - -- name: -- VERIFY DEFAULT SSL SITE -- - ansible.builtin.uri: - url: 'https://127.0.0.1/' - return_content: true - validate_certs: false - register: vdefault - failed_when: > - vdefault.content.find('Index HTML test OK') == -1 or - vdefault.x_ansible_default is not defined - -- name: -- VERIFY NOT DEFAULT SITE -- - ansible.builtin.uri: - url: 'http://test-php.local/' - return_content: true - register: vphp - failed_when: vphp.x_ansible_default is defined - -- name: -- VERIFY NOT DEFAULT SSL SITE -- - ansible.builtin.uri: - url: 'https://test-ssl.local/' - return_content: true - validate_certs: false - register: notdefaultssl - failed_when: notdefaultssl.x_ansible_default is defined - -# -------------------------------- -# Check Proxy protocol -# -------------------------------- -- name: SHELL | Check HTTP proxy protocol - ansible.builtin.shell: set -o pipefail && curl -I --haproxy-protocol http://test-ssl-proxy-protocol.local:20080 | grep -qi 'X-Proxy-Protocol' - args: - executable: /bin/bash - changed_when: false - -- name: SHELL | Check HTTPS proxy protocol - ansible.builtin.shell: set -o pipefail && curl -I --haproxy-protocol -k https://test-ssl-proxy-protocol.local:20443 | grep -qi 'X-Proxy-Protocol' - args: - executable: /bin/bash - changed_when: false - -# -------------------------------- -# Check HTTP2 -# -------------------------------- -- name: SHELL | Check HTTP2 - ansible.builtin.shell: set -o pipefail && nghttp -nv https://localhost 2> /dev/null | grep -q h2 - args: - executable: /bin/bash - changed_when: false diff --git a/tests/includes/pre_Debian.yml b/tests/includes/pre_Debian.yml deleted file mode 100644 index 6e9edfe..0000000 --- a/tests/includes/pre_Debian.yml +++ /dev/null @@ -1,82 +0,0 @@ ---- - -- name: APT_REPOSITORY | Install backports - ansible.builtin.apt_repository: - repo: 'deb http://httpredir.debian.org/debian {{ ansible_distribution_release }}-backports main' - state: present - when: nginx_backports is defined and nginx_backports - -- name: APT | Install needed packages - ansible.builtin.apt: - pkg: "{{ packages }}" - update_cache: true - cache_valid_time: 3600 - state: present - vars: - packages: - - cron - - curl - - daemonize - - jq - - nghttp2 - - strace - - vim - - unzip - -- name: APT | Install PHP - ansible.builtin.apt: - pkg: "{{ pkgs }}" - update_cache: true - cache_valid_time: 3600 - state: present - vars: - pkgs: - - php-cli - - php-fpm - -- name: SHELL | Get current PHP version - ansible.builtin.shell: php --version | awk '/^PHP/ { print $2 }' | grep -o -E '^.{3}' - changed_when: false - register: cur_php_version - -# Bypasses Ansible+Docker issue. With service module... php is not really started! -- name: COMMAND | Force start PHP - ansible.builtin.command: "service php{{ cur_php_version.stdout }}-fpm start" - args: - creates: "/run/php/php{{ cur_php_version.stdout }}-fpm.pid" - -- name: GET_URL | Download ngrok - ansible.builtin.get_url: - url: "https://bin.equinox.io/c/bNyj1mQVY4c/ngrok-v3-stable-linux-amd64.tgz" - dest: "/tmp/ngrok.zip" - -- name: UNARCHIVE | Uncompress ngrok - ansible.builtin.unarchive: - src: "/tmp/ngrok.zip" - dest: "/tmp" - remote_src: true - -- name: SET_FACT | ngrok_path - ansible.builtin.set_fact: - ngrok_path: '/tmp/ngrok' - -- name: USER | Create PHP User foo - ansible.builtin.user: - name: foo - system: true - -- name: INCLUDE_ROLE | hanxhx.php # TODO: repair vagrant - ansible.builtin.include_role: - name: "hanxhx.php" - vars: - php_version: "{{ cur_php_version.stdout }}" - php_autoremove_default_pool: false - php_fpm_poold: - - name: 'hx_unix' - user: 'foo' - php_value: - display_errors: 'Off' - php_admin_value: - memory_limit: '98M' - - name: 'hx_ip' - listen: '127.0.0.1:9636' diff --git a/tests/includes/pre_FreeBSD.yml b/tests/includes/pre_FreeBSD.yml deleted file mode 100644 index 84003fe..0000000 --- a/tests/includes/pre_FreeBSD.yml +++ /dev/null @@ -1,66 +0,0 @@ ---- - -- name: SET_FACT | FreeBSD web user - set_fact: - nginx_pkgng_package: 'nginx-full' - nginx_user: 'www' - nginx_php: - - upstream_name: 'manual' - sockets: - - host: '127.0.0.1' - port: 9000 - - upstream_name: 'hx_unix' - sockets: - - host: '127.0.0.1' - port: 9000 - - upstream_name: 'hx_ip' - sockets: - - host: '127.0.0.1' - port: 9000 - ngrok_path: '/usr/local/bin/ngrok' - -- name: PKGNG | Install needed packages - pkgng: - pkg: "{{ packages }}" - state: present - vars: - packages: - - bash - - curl - - daemonize - - fcgiwrap - - jq - - nghttp2 - - php74 - - vim - -- name: SERVICE | Force start services - service: - name: "{{ item }}" - state: started - enabled: true - register: sf - loop: - - php-fpm - -- name: STAT | Check ports - stat: - path: /usr/ports - register: ports - -- block: - - - name: COMMAND | Get ports - command: portsnap fetch --interactive - - - name: COMMAND | Extract ports - command: portsnap extract - no_log: true - - when: not ports.stat.exists - -- name: SHELL | Install ngrok - shell: make install clean DISABLE_LICENSES=yes - args: - chdir: /usr/ports/security/ngrok - creates: "{{ ngrok_path }}" diff --git a/tests/includes/pre_common.yml b/tests/includes/pre_common.yml deleted file mode 100644 index 3af4289..0000000 --- a/tests/includes/pre_common.yml +++ /dev/null @@ -1,59 +0,0 @@ ---- - -- name: COMMAND | Start ngrok - ansible.builtin.command: daemonize -l /tmp/ngrok.lock {{ ngrok_path }} http 80 --scheme http - failed_when: false - changed_when: ngrok.stderr.find("Can't lock the lock file") == -1 - register: ngrok - -- name: WAIT_FOR | ngrok started # noqa: no-handler - ansible.builtin.wait_for: - delay: 2 - port: 4040 - when: ngrok.changed - -- name: SHELL | Get ngrok public address - ansible.builtin.shell: set -o pipefail && curl 'http://127.0.0.1:4040/api/tunnels/command_line' 2> /dev/null | jq -r '.public_url' | cut -d '/' -f 3 - args: - executable: /bin/bash - register: ngrok - changed_when: false - -- name: FILE | Create an internal SSL dir - ansible.builtin.file: - path: "{{ int_ansible_ssl_dir }}" - state: directory - mode: 0750 - owner: root - group: root - -- name: COPY | Deploy test cert/key - ansible.builtin.copy: - src: "file/{{ item }}" - dest: "{{ int_ansible_ssl_dir }}/{{ item }}" - mode: 0640 - owner: root - group: root - loop: - - 'test.key' - - 'test.crt' - -- name: COPY | Add all hosts in /etc/hosts - ansible.builtin.copy: - content: | - 127.0.0.1 localhost - {% for s in nginx_sites %} - {% if s.name is string %} - 127.0.0.1 {{ s.name }} - {% else %} - 127.0.0.1 {% for n in s.name %}{{ n }} {% endfor %} - {% endif %} - {% if s.redirect_from is defined %} - 127.0.0.1 {% for rf in s.redirect_from %}{{ rf }} {% endfor %} - {% endif %} - {% endfor %} - dest: "/etc/hosts" - mode: 0644 - owner: root - group: root - unsafe_writes: true diff --git a/tests/templates/custom_template.conf.j2 b/tests/templates/custom_template.conf.j2 deleted file mode 100644 index 9c19619..0000000 --- a/tests/templates/custom_template.conf.j2 +++ /dev/null @@ -1,16 +0,0 @@ -# {{ ansible_managed }} - custom template - -server { - listen 80; - listen 8888 http2; - listen 9999 http2 proxy_protocol; - server_name {{ item.name }}; - - index index.html index.htm; - - root {{ item.root }}; - - location / { - try_files $uri $uri/ =404; - } -} diff --git a/tests/test.yml b/tests/test.yml deleted file mode 100644 index f733884..0000000 --- a/tests/test.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- - -- name: Launch tests # noqa: role-name[path] - hosts: all - pre_tasks: - - name: INCLUDE_TASKS | Pre_tasks related to OS version - ansible.builtin.include_tasks: "includes/pre_{{ ansible_os_family }}.yml" - - - name: IMPORT_TASKS | Pre_tasks common - ansible.builtin.import_tasks: "includes/pre_common.yml" - - roles: - - ../../ - - post_tasks: - - name: INCLUDE_TASKS | Post_tasks related to OS version - ansible.builtin.include_tasks: "includes/post_{{ ansible_os_family }}.yml" - - - name: IMPORT_TASKS | Post_tasks common - ansible.builtin.import_tasks: "includes/post_common.yml" From 40d14922b9636078d85679bdae5c35418a8abc97 Mon Sep 17 00:00:00 2001 From: Emilien Mantel Date: Mon, 2 Jun 2025 10:43:10 +0200 Subject: [PATCH 5/8] :memo: Update docs --- doc/auth.md | 4 ++-- doc/site.md | 10 ++++------ doc/ssl.md | 6 +++--- 3 files changed, 9 insertions(+), 11 deletions(-) diff --git a/doc/auth.md b/doc/auth.md index 28bf962..88d6b33 100644 --- a/doc/auth.md +++ b/doc/auth.md @@ -20,12 +20,12 @@ Example ```yaml nginx_sites: -# htpasswd on all site + # htpasswd on all site - name: test.local htpasswd: 'hello' template: '_base' -# htpasswd only in /hello + # htpasswd only in /hello - name: test-location.local template: '_base' location: diff --git a/doc/site.md b/doc/site.md index 8f8c940..cadb408 100644 --- a/doc/site.md +++ b/doc/site.md @@ -1,7 +1,7 @@ Site management =============== -You can see many examples in: [tests/test.yml](../tests/test.yml). +You can see many examples in: [molecule/_shared/group_vars/all/main.yml](../molecule/_shared/group_vars/all/main.yml). `nginx_sites`: List of dict. A site has few keys. See bellow. @@ -34,7 +34,7 @@ Pre-built site config - `redirect_to_code`: Redirect code (default: 302) - `redirect_https`: (O) Boolean. Redirect HTTP to HTTPS. If "true", you _MUST_ set `proto` to `['https']`. - `location`: (O) Add new custom locations (it does not overwrite!) -- `location_order`: (O) Due to non preditive `location` order, you can provide the good order (see test-location.local in [tests/test.yml](../tests/test.yml)). +- `location_order`: (O) Due to non preditive `location` order, you can provide the good order (see test-location.local in [molecule/_shared/group_vars/all/main.yml](../molecule/_shared/group_vars/all/main.yml)). - `location_before`: (O) Add new custom locations before generated location by template - `location_order_before`: (O) Manages location order for `location_before` - `more`: (O) Add more custom infos. @@ -87,7 +87,7 @@ You can manage default site by setting domain name to these variables. ```yaml -- nginx_sites: +nginx_sites: - name: 'mywebsite.com' template: '_wordpress' headers: @@ -108,7 +108,7 @@ You can add some extra infos if needed. ### Example: ```yaml -- nginx_sites: +nginx_sites: - name: 'mycustom-website.com' custom_template: 'my/template_dir/the-template.conf.j2' allow_admin: '192.168.0.0/24' @@ -137,5 +137,3 @@ server { } } ``` - - diff --git a/doc/ssl.md b/doc/ssl.md index fd66775..0c4a64d 100644 --- a/doc/ssl.md +++ b/doc/ssl.md @@ -32,7 +32,7 @@ You can use these variables if you use another task/role to manages your certifi - `dest_cert`: remote path where certificate is located - `dest_key`: remote path where key is located -### Self signed +### Self-signed Create a self-signed pair and deploy it. Do not use this feature in production. @@ -45,7 +45,7 @@ Uses acme.sh to create free certificates. It uses HTTP-01 challenge. Use this fe - `acme`: set true to use this feature. It uses `name` (can be a string or string list). -Have a look to [acme configuration](acme.md configuration). +Have a look to [acme configuration](acme.md). Tips ---- @@ -61,7 +61,7 @@ Example ------- ```yaml -nginx_sites; +nginx_sites: - name: 'test-ssl.local' proto: ['http', 'https'] template: '_base' From 277cf7fe74749c97155e2d0031dea4dd92d64a11 Mon Sep 17 00:00:00 2001 From: Emilien Mantel Date: Mon, 2 Jun 2025 10:50:12 +0200 Subject: [PATCH 6/8] :construction_worker: Change ansible-lint in CI --- .github/workflows/ci.yml | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c783900..d502f71 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -31,13 +31,9 @@ jobs: ansible-lint: name: Ansible Lint - runs-on: ubuntu-latest - + runs-on: ubuntu-24.04 steps: - - name: Fetch code - uses: actions/checkout@v3 - with: - fetch-depth: 0 + - uses: actions/checkout@v4 - name: Run ansible-lint - uses: ansible/ansible-lint-action@v6.15.0 + uses: ansible/ansible-lint@main From bf37be22f7dc6169f3979025756de704c437c0a4 Mon Sep 17 00:00:00 2001 From: Emilien Mantel Date: Mon, 2 Jun 2025 11:00:11 +0200 Subject: [PATCH 7/8] :rocket: Support Ubuntu 24.04 + Debian 13 --- .github/workflows/molecule.yml | 4 +++- README.md | 4 +++- molecule/debian-12/molecule.yml | 4 ++-- molecule/debian-13/molecule.yml | 13 +++++++++++++ molecule/ubuntu-24.04/molecule.yml | 13 +++++++++++++ 5 files changed, 34 insertions(+), 4 deletions(-) create mode 100644 molecule/debian-13/molecule.yml create mode 100644 molecule/ubuntu-24.04/molecule.yml diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml index ea12ae4..ecdd48b 100644 --- a/.github/workflows/molecule.yml +++ b/.github/workflows/molecule.yml @@ -18,11 +18,13 @@ jobs: - debian-10 - debian-11 - debian-12 + - ubuntu-20.04 - ubuntu-22.04 + - ubuntu-24.04 allowed-to-fail: - false include: - - scenario: ubuntu-20.04 + - scenario: debian-13 allowed-to-fail: true steps: diff --git a/README.md b/README.md index 00dd1b6..8abff25 100644 --- a/README.md +++ b/README.md @@ -26,9 +26,11 @@ Supported OS: | Debian Stretch (9) | Yes | Check latest supported version ([1.9.0](https://github.com/HanXHX/ansible-nginx/releases/tag/1.9.0)) | | Debian Buster (10) | Yes | Yes | | Debian Bullseye (11) | Yes | Yes | -| Debian Bookworm (12) | Yes | Not yet :) | +| Debian Bookworm (12) | Yes | Yes | +| Debian Trixie (13) | WIP | Not yet | | Ubuntu 20.04 | Yes | Yes | | Ubuntu 22.04 | Yes | Yes | +| Ubuntu 24.04 | Yes | Yes | Requirements ------------ diff --git a/molecule/debian-12/molecule.yml b/molecule/debian-12/molecule.yml index 6d4e51f..18d1680 100644 --- a/molecule/debian-12/molecule.yml +++ b/molecule/debian-12/molecule.yml @@ -1,8 +1,8 @@ --- platforms: - - name: debian-12 - image: dokken/debian-12 + - name: debian-13 + image: dokken/debian-13 command: /lib/systemd/systemd dockerfile: ../_shared/Dockerfile.j2 capabilities: diff --git a/molecule/debian-13/molecule.yml b/molecule/debian-13/molecule.yml new file mode 100644 index 0000000..058273c --- /dev/null +++ b/molecule/debian-13/molecule.yml @@ -0,0 +1,13 @@ +--- + +platforms: + - name: debian-12 + image: dokken/debian-13 + command: /lib/systemd/systemd + dockerfile: ../_shared/Dockerfile.j2 + capabilities: + - SYS_ADMIN + cgroupns_mode: host + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + privileged: true diff --git a/molecule/ubuntu-24.04/molecule.yml b/molecule/ubuntu-24.04/molecule.yml new file mode 100644 index 0000000..0a569eb --- /dev/null +++ b/molecule/ubuntu-24.04/molecule.yml @@ -0,0 +1,13 @@ +--- + +platforms: + - name: ubuntu-24.04 + image: dokken/ubuntu-24.04 + command: /lib/systemd/systemd + dockerfile: ../_shared/Dockerfile.j2 + capabilities: + - SYS_ADMIN + cgroupns_mode: host + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + privileged: true From da4e9dfc4f346dbe31edb5690bc555c2ec5565da Mon Sep 17 00:00:00 2001 From: Emilien Mantel Date: Mon, 2 Jun 2025 13:07:38 +0200 Subject: [PATCH 8/8] :art: Fix imports in Ansible Galaxy --- .github/workflows/{galaxy.yml => ansible_galaxy.yml} | 0 meta/main.yml | 2 +- molecule/_shared/prepare.yml | 6 +++--- molecule/_shared/verify.yml | 10 +++++----- tasks/config.yml | 8 ++++---- tasks/htpasswd.yml | 2 +- tasks/prepare.yml | 2 +- tasks/site.yml | 8 ++++---- tasks/ssl/acme.yml | 4 ++-- tasks/ssl/standard.yml | 8 ++++---- tasks/upstream.yml | 4 ++-- 11 files changed, 27 insertions(+), 27 deletions(-) rename .github/workflows/{galaxy.yml => ansible_galaxy.yml} (100%) diff --git a/.github/workflows/galaxy.yml b/.github/workflows/ansible_galaxy.yml similarity index 100% rename from .github/workflows/galaxy.yml rename to .github/workflows/ansible_galaxy.yml diff --git a/meta/main.yml b/meta/main.yml index 3056cf6..6afd287 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -2,7 +2,7 @@ galaxy_info: author: Emilien Mantel - namespace: hanxhx + namespace: HanXHX role_name: nginx description: Nginx for Debian / Ubuntu company: TripleStack diff --git a/molecule/_shared/prepare.yml b/molecule/_shared/prepare.yml index c4dc253..df85445 100644 --- a/molecule/_shared/prepare.yml +++ b/molecule/_shared/prepare.yml @@ -73,7 +73,7 @@ ansible.builtin.file: path: "{{ int_ansible_ssl_dir }}" state: directory - mode: 0750 + mode: "0750" owner: root group: root @@ -81,7 +81,7 @@ ansible.builtin.copy: src: "file/{{ item }}" dest: "{{ int_ansible_ssl_dir }}/{{ item }}" - mode: 0640 + mode: "0640" owner: root group: root loop: @@ -103,7 +103,7 @@ {% endif %} {% endfor %} dest: "/etc/hosts" - mode: 0644 + mode: "0644" owner: root group: root unsafe_writes: true diff --git a/molecule/_shared/verify.yml b/molecule/_shared/verify.yml index 2f14efc..e088110 100644 --- a/molecule/_shared/verify.yml +++ b/molecule/_shared/verify.yml @@ -13,7 +13,7 @@ ansible.builtin.copy: dest: "{{ nginx_root }}/{{ item }}/public/index.php" content: "