Disable tests for owncloud (fix later)

Freebsd support

.gitignore

@@ -1,2 +1,3 @@
 .vagrant*
 *.swp
+*.retry

.travis.yml

@@ -1,5 +1,4 @@
 env:
-  - PLATFORM=debian-wheezy
   - PLATFORM=debian-jessie
 
 sudo: required
@@ -11,3 +10,6 @@ services:
 
 script:
   - docker build -f tests/$PLATFORM.Dockerfile -t test-$PLATFORM . && docker run --name $PLATFORM test-$PLATFORM
+
+notifications:
+  webhooks: https://galaxy.ansible.com/api/v1/notifications/

README.md

@@ -1,9 +1,9 @@
-Nginx for Debian Ansible role
+Nginx for Debian/FreeBSD Ansible role
-=============================
+=====================================
 
-[![Ansible Galaxy](http://img.shields.io/badge/ansible--galaxy-HanXHX.nginx-blue.svg)](https://galaxy.ansible.com/list#/roles/4399) [![Build Status](https://travis-ci.org/HanXHX/ansible-nginx.svg?branch=master)](https://travis-ci.org/HanXHX/ansible-nginx)
+[![Ansible Galaxy](http://img.shields.io/badge/ansible--galaxy-HanXHX.nginx-blue.svg)](https://galaxy.ansible.com/HanXHX/nginx/) [![Build Status](https://travis-ci.org/HanXHX/ansible-nginx.svg?branch=master)](https://travis-ci.org/HanXHX/ansible-nginx)
 
-Install and configure Nginx on Debian.
+Install and configure Nginx on Debian/FreeBSD.
 
 Features:
 
@@ -24,9 +24,15 @@ Role Variables
 
 ### Packaging
 
+Debian:
+
 - `nginx_apt_package`: APT nginx package (try: apt-cache search ^nginx)
 - `nginx_backports`: Install nginx from backport repository (bool)
 
+FreeBSD:
+
+- `nginx_pkgng_package`: PKGNG nginx package (should be "nginx" or "nginx-devel")
+
 ### Shared
 
 - `nginx_root`: root directory where you want to have your files
@@ -53,12 +59,19 @@ Fine configuration
 
 [Upstream Configuration](doc/upstream.md)
 
-[Vhost configuration](doc/vhost.md)
-
 [SSL/TLS Configuration](doc/ssl.md)
 
 [Basic Auth](doc/auth.md)
 
+[FreeBSD](doc/freebsd.md)
+
+
+Note
+----
+
+- Active support for Debian.
+- FreeBSD support is experimental (no Travis). I only test (for the moment) 10.2 (but it can work on other versions).
+- I don't manage BackupPC for FreeBSD (PR welcome).
 
 Dependencies
 ------------

Vagrantfile

@@ -5,10 +5,13 @@
 
 Vagrant.configure("2") do |config|
 
-  vms = [
+  vms_debian = [
-    [ "debian-wheezy", "deb/wheezy-amd64" , "192.168.33.27" ],
+    [ "debian-jessie", "debian/jessie64" ],
-    [ "debian-jessie", "deb/jessie-amd64", "192.168.33.28" ],
+    [ "debian-stretch", "sharlak/debian_stretch_64" ]
-    [ "debian-stretch", "sharlak/debian_stretch_64", "192.168.33.29" ]
+  ]
+
+  vms_freebsd = [
+    [ "freebsd-10.2", "freebsd/FreeBSD-10.2-STABLE" ]
   ]
 
   config.vm.provider "virtualbox" do |v|
@@ -16,11 +19,10 @@ Vagrant.configure("2") do |config|
     v.memory = 256
   end
 
-  vms.each do |vm|
+  vms_debian.each do |vm|
     config.vm.define vm[0] do |m|
       m.vm.box = vm[1]
-      m.vm.network "private_network", ip: vm[2]
+      m.vm.network "private_network", type: "dhcp"
-
       m.vm.provision "ansible" do |ansible|
         ansible.playbook = "tests/test.yml"
         ansible.groups = { "test" => [ vm[0] ] }
@@ -29,4 +31,25 @@ Vagrant.configure("2") do |config|
       end
     end
   end
+  # See: https://forums.freebsd.org/threads/52717/
+  vms_freebsd.each do |vm|
+    config.vm.define vm[0] do |m|
+      m.vm.box = vm[1]
+      m.vm.network "private_network", type: "dhcp"
+      m.vm.guest = :freebsd
+      m.vm.synced_folder ".", "/vagrant", id: "vagrant-root", disabled: true
+      m.ssh.shell = "sh"
+      m.vm.base_mac = "080027D14C66"
+      m.vm.provision "shell", inline: "pkg install -y python bash"
+      m.vm.provision "ansible" do |ansible|
+        ansible.playbook = "tests/test.yml"
+        ansible.groups = { "test" => [ vm[0] ] }
+        ansible.verbose = 'vv'
+        ansible.sudo = true
+        ansible.extra_vars = {
+          ansible_python_interpreter: '/usr/local/bin/python'
+        }
+      end
+    end
+  end
 end

defaults/main.yml

@@ -1,14 +1,16 @@
 ---
 
+# Debian
 nginx_apt_package: nginx-full
 nginx_backports: false
+# FreeBSD
+nginx_pkgng_package: nginx
 
 #
 # Nginx shared variables
 #
 nginx_root: "/srv/www"
 nginx_log_dir: '/var/log/nginx'
-nginx_pid: '/run/nginx.pid'
 nginx_resolver_hosts: ['8.8.8.8', '8.8.4.4']
 nginx_resolver_valid: '300s'
 nginx_resolver_timeout: '5s'
@@ -20,18 +22,21 @@ nginx_default_vhost_ssl: null
 #
 # Nginx directories
 #
-nginx_htpasswd_dir: '/etc/nginx/htpasswd'
+nginx_htpasswd_dir: '{{ nginx_etc_dir }}/htpasswd'
-nginx_ssl_dir: '/etc/nginx/ssl'
+nginx_ssl_dir: '{{ nginx_etc_dir }}/ssl'
-nginx_helper_dir: '/etc/nginx/helper'
+nginx_helper_dir: '{{ nginx_etc_dir}}/helper'
 
 #
 # Load upstream
 #
 
 # PHP
-nginx_php: false
+nginx_php56: false
-nginx_php_sockets:
+nginx_php70: false
-  - unix_socket: "/var/run/php5-fpm.sock"
+nginx_php56_sockets:
+  - unix_socket: "/run/php5-fpm.sock"
+nginx_php70_sockets:
+  - unix_socket: "/run/php/php7.0-fpm.sock"
 nginx_upstreams: []
 
 #
@@ -45,7 +50,6 @@ nginx_worker_processes: '{{ ansible_processor_vcpus }}'
 #
 nginx_events_worker_connections: '512'
 nginx_events_multi_accept: 'on'
-nginx_events_use: 'epoll'
 
 #
 # Nginx HTTP
@@ -81,9 +85,9 @@ nginx_http_gzip_vary: 'on'
 nginx_http_gzip_disable: '"msie6"'
 
 #
-# nginx_http_custom
+# Custom global configuration
 #
-nginx_http_custom: []
+nginx_custom_http: []
 
 #
 # Vhosts
@@ -106,3 +110,10 @@ nginx_ssl_pairs: []
 nginx_dh: null
 nginx_dh_path: '{{ nginx_ssl_dir }}/dhparam.pem'
 nginx_dh_length: 2048
+
+# Extra
+
+# Note:
+#   - On Debian, if you use Owncloud from Upstream repository, you must set this var to "/var/www/owncloud"
+#   - TODO: force this var in vars/FreeBSD.yml
+nginx_owncloud_root: '/usr/share/owncloud'

doc/auth.md

@@ -10,15 +10,15 @@ Each htpasswd has few keys:
 
 - `name`: (M) used to create file and as pointee
 - `description`: (M) Used for the message box :)
-- `users`: each users is composed with 3 keys: `name` (M), `password` (M) and `state` present/absent (default: present)
+- `users`: each users is composed with 3 keys: `name` (M), `password` (M) and `state` (O) present/absent (default: present)
 - `state`: (O) present or absent. Default: present
 
-`nginx_htpasswd` should be placed in a vaut file.
+`nginx_htpasswd` should be placed in a vault file.
 
 Example
 -------
 
-```
+```yaml
 nginx_vhosts:
 # htpasswd on all vhost
   - name: test.local

doc/freebsd.md

@@ -0,0 +1,4 @@
+Freebsd
+=======
+
+Due to Ansible + FreeBSD limitations (`ansible_processor_vcpus`), You must explicitely set `nginx_worker_processes`.

doc/php.md

@@ -1,8 +1,8 @@
 PHP
 ===
 
-- `nginx_php`: boolean if you need to preconfigure PHP (default: false)
+- `nginx_php56` and `nginx_php70`: boolean if you need to preconfigure PHP (default: false)
-- `nginx_php_sockets`: list of sockets (see bellow)
+- `nginx_php##_sockets`: list of sockets (see bellow)
 
 You should see [Nginx upstream module doc](http://nginx.org/en/docs/http/ngx_http_upstream_module.html).
 
@@ -15,4 +15,4 @@ Each socket have:
 - `max_fails`
 - `fail_timeout`
 
-With default configuration, it works fine with PHP-FPM. But if you install PHP7 with Dotdeb, path changed between version, you must set well this list.
+With default configuration, it works fine with PHP-FPM.

doc/ssl.md

@@ -27,7 +27,6 @@ OR
 - `dest_cert`: remote path where certificate is located
 - `dest_key`: remote path where key is located
 
-
 Note: `name` is used to deploy key/cert. With defaults values dans `name` = "foo", key is -> /etc/nginx/ssl/foo/foo.key
 
 Tips
@@ -35,9 +34,6 @@ Tips
 
 Deploying key/cert is not mandatory with this role. You can manage it in other place ([letsencrypt](https://letsencrypt.org/)? :)). You just need to set `dest_cert` and `dest_key`!
 
-If you set all, you can deploy your key everywhere with wanted data!
-
-
 Diffie-Hellman
 --------------
 
@@ -46,7 +42,7 @@ If you do not specify any dh param, this role auto generates it.
 Example
 -------
 
-```
+```yaml
 nginx_vhosts;
   - name: 'test-ssl.local'
     proto: ['http', 'https']

doc/upstream.md

@@ -11,6 +11,7 @@ Upstream params
 - `name`: upstream name. Can be use in vhost with *proxy_pass http://upstream_name*
 - `params`: list of param (hash, zone...)
 - `servers`: each upstream MUST have at least 1 server
+- `state`: Optional. Can be 'absent' or 'present'
 
 Server params
 -------------
@@ -25,5 +26,18 @@ All this params are optional. You should see [Nginx upstream doc](http://nginx.o
 - `backup`
 - `down`
 - `route`
-- `slow`start`
+- `slow_start`
 
+Example
+-------
+
+```yaml
+nginx_upstreams:
+  - name: 'proxy_apache'
+    servers:
+      - path: '127.0.0.1:80'
+        max_conns: 150
+        weight: 10
+        down: false
+    state: 'present'
+```

doc/vhost.md

@@ -10,11 +10,14 @@ Common
 
 - `name`: (M) Domain or list of domain used.
 - `template`: (D) template used to create vhost. Optional if you set `delete` to true or using `redirect_tor`.
+- `filename`: (O) Specify filename in /etc/nginx/sites-*. Do NOT specify default (reserved keyword).
 - `enable`: (O) Enable the vhost (default is true)
 - `delete`: (O) Delete the vhost (default is false)
 - `redirect_from`: (O) Domain list to redirect to the first `name`. You can use this key to redirect non-www to www
 - `redirect_to`: (O) Redirect all requests to this domain. Please set scheme (http:// or https:// or $sheme).
+- `headers`: (O) Set additionals header as key/value list. You can append "always" to the value. Show [nginx doc](http://nginx.org/en/docs/http/ngx_http_headers_module.html).
 - `redirect_to_code`: Redirect code (default: 302)
+- `redirect_https`: (O) Boolean. Redirect HTTP to HTTPS. If "true", you _MUST_ set `proto` to ```['https']```.
 - `location`: (O) Add new custom locations (it does not overwrite!)
 - `more`: (O) Add more custom infos.
 - `upstream_params`: (O) Add upstream params (useful when you want to pass variables to PHP)
@@ -23,6 +26,8 @@ Common
 - `htpasswd`: (O) References name key in `nginx_htpasswd`. Enable auth basic on all vhost.
 - `proto`: (O) list of protocol used. Default is a list with "http". If you need http and https, you must set a list with "http" and "https". You can only set "https" without http support.
 - `ssl_name`: (D) name of the key used when using TLS/SSL. Mandatory when `proto` contains "https"
+- `ssl_template` (O) "strong" (default) or "legacy". You can disable SSL helpers and add your own directives by setting "false". 
+- `php_version` (O) Sepecify PHP version (5 or 7)
 
 (O): Optional
 (M): Mandatory
@@ -36,6 +41,7 @@ Templates
 - `_dokuwiki`
 - `_redirect`: should not be called explicitly
 - `_nagios3`: access to Nagios3 (be careful: you need to install [fcgiwrap](https://packages.debian.org/jessie/fcgiwrap))
+- `_owncloud`: access to Owncloud (note: you must set `nginx_apt_package` to //nginx-extras//) **UNSTABLE**
 - `_phalcon`: Phalcon PHP Framework
 - `_php`: PHP base template. Can work with many frameworks/tools
 - `_php_index`: Same as above. But you can only run index.php

files/web/index.html

@@ -1 +0,0 @@
-<h1>HTML works</h1>

files/web/index.php

@@ -1,3 +0,0 @@
-<?php
-
-echo "<h1>PHP works!</h1>";

handlers/main.yml

@@ -1,4 +1,13 @@
 ---
 
+# Reload wrapper
 - name: reload nginx
-  action: service name=nginx state=reloaded enabled=yes
+  command: nginx -t
+  notify: real-reload nginx
+
+- name: real-reload nginx
+  service: name=nginx state=reloaded
+
+- name: restart nginx freebsd
+  service: name=nginx state=restarted
+  when: ansible_distribution == "FreeBSD"

meta/main.yml

@@ -8,9 +8,19 @@ galaxy_info:
   platforms:
   - name: Debian
     versions:
-    - wheezy
     - jessie
-  categories:
+  - name: FreeBSD
+    versions:
+    - 10.2
+  galaxy_tags:
   - web
+  - proxy
+  - http
+  - http2
+  - https
+  - ssl
+  - tls
+  - nginx
+  - cdn
 dependencies: []
 

tasks/config.yml

@@ -3,7 +3,7 @@
 - name: TEMPLATE | Deploy nginx.conf
   template: >
     src=etc/nginx/nginx.conf.j2
-    dest=/etc/nginx/nginx.conf
+    dest="{{ nginx_etc_dir }}/nginx.conf"
   notify: reload nginx
 
 - name: TEMPLATE | Deploy all helpers
@@ -16,6 +16,6 @@
 - name: TEMPLATE | Deploy custom http configuration
   template: >
     src=etc/nginx/conf.d/custom.conf.j2
-    dest=/etc/nginx/conf.d/custom.conf
+    dest="{{ nginx_etc_dir }}/conf.d/custom.conf"
   notify: reload nginx
 

tasks/htpasswd.yml

@@ -4,7 +4,7 @@
   file: >
     path={{ nginx_htpasswd_dir }}/{{ item.name }}
     state=absent
-  with_items: nginx_htpasswd
+  with_items: "{{ nginx_htpasswd }}"
   when: item.state is defined and item.state == 'absent'
 
 - name: HTPASSWD | Manage files
@@ -14,6 +14,6 @@
     state={{ item.1.state | default('present') }}
     path={{ nginx_htpasswd_dir }}/{{ item.0.name }}
   with_subelements:
-    - nginx_htpasswd
+    - "{{ nginx_htpasswd }}"
     - users
   when: item.0.state is not defined or item.0.state == 'present'

tasks/install_Debian.yml

@@ -1,11 +1,21 @@
 ---
 
+- name: APT | Update cache
+  apt: >
+    update_cache=yes
+    cache_valid_time=3600
+
+- name: APT | Force OpenSSL from backports (fix dependency break)
+  apt: >
+    pkg=openssl
+    state=latest
+    default_release={{ ansible_distribution_release + '-backports' }}
+  when: nginx_backports
+
 - name: APT | Install nginx and dependencies
   apt: >
     pkg={{ nginx_apt_package }}
     state=present
-    update_cache=yes
-    cache_valid_time=3600
     default_release={{ ansible_distribution_release + '-backports' if nginx_backports else ansible_distribution_release }}
 
 - name: APT | Install python-passlib

tasks/install_FreeBSD.yml

@@ -0,0 +1,46 @@
+---
+
+- name: PKGNG | Install nginx and related tools
+  pkgng: name={{ item }} state=present
+  with_items:
+    - "{{ nginx_pkgng_package }}"
+    - py27-passlib
+    - curl
+
+- name: FILE | Create configuration dir (like Debian)
+  file: path="{{ nginx_etc_dir }}/{{ item }}" state=directory
+  with_items:
+    - conf.d
+    - sites-available
+    - sites-enabled
+
+- name: STAT | Check fastcgi.conf
+  stat: path={{ nginx_etc_dir }}/fastcgi.conf
+  register: conf
+
+- name: COPY | config
+  command: "cp {{ nginx_etc_dir }}/fastcgi_params {{ nginx_etc_dir }}/fastcgi.conf"
+  when: not conf.stat.exists
+  notify: reload nginx
+
+- name: LINEINFILE | Add fastcgi config
+  lineinfile: >
+    line="fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;"
+    dest="{{ nginx_etc_dir }}/fastcgi.conf"
+  notify: reload nginx
+
+- name: COPY | Populate proxy_params
+  copy: >
+    content="proxy_set_header Host $http_host;\nproxy_set_header X-Real-IP $remote_addr;\nproxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;"
+    dest="{{ nginx_etc_dir }}/proxy_params"
+
+- name: FILE | Create log directory
+  file: >
+    path={{ nginx_log_dir }}
+    owner={{ nginx_user }}
+    group=wheel
+    mode=0755
+    state=directory
+
+- name: SERVICE | Enable nginx
+  service: name=nginx enabled=yes

tasks/main.yml

@@ -1,7 +1,10 @@
 ---
 
+- name: INCLUDE_VARS | Related to OS
+  include_vars: "{{ ansible_distribution }}.yml"
+
 - name: INCLUDE | Install
-  include: install.yml
+  include: install_{{ ansible_distribution }}.yml
 
 - name: INCLUDE | Prepare
   include: prepare.yml

tasks/prepare.yml

@@ -2,14 +2,22 @@
 
 - name: SHELL | Get Nginx version
   shell: nginx -v 2>&1 | sed -r 's#.*/##;' | cut -d ' ' -f 1
+  args:
+    executable: /bin/sh
   register: nginx_version
   changed_when: false
 
 - name: SHELL | Get module list
-  shell: nginx -V 2>&1 | tr -- - '\n' | grep -A 1 with | grep _module | sed -r 's/_module\s*$//g' |sort
+  shell: nginx -V 2>&1 | tr -- - '\n' | grep -A 1 with | grep _module | sed 's/_module[[:space:]]*//g' | sort
-  register: nginx_modules
+  args:
+    executable: /bin/sh
+  register: shell_modules
   changed_when: false
 
+- name: SET_FACT | Save modules
+  set_fact:
+    nginx_modules: "{{ shell_modules.stdout_lines }}"
+
 - name: FILE | Create folders
   file: dest={{ item }} owner=root mode=0755 state=directory
   with_items: "{{ nginx_dirs }}"

tasks/ssl.yml

@@ -18,14 +18,14 @@
   file: >
     path="{{ nginx_ssl_dir + '/' + item.name }}"
     state=directory
-  with_items: nginx_ssl_pairs
+  with_items: "{{ nginx_ssl_pairs }}"
   when: item.dest_key is not defined or item.dest_cert is not defined
 
 - name: COPY | Deploy SSL keys
   copy: >
     content="{{ item.key }}"
     dest="{{ nginx_ssl_dir + '/' + item.name + '/' + item.name + '.key' if item.dest_key is not defined else item.dest_key }}"
-  with_items: nginx_ssl_pairs
+  with_items: "{{ nginx_ssl_pairs }}"
   when: item.key is defined
   notify: reload nginx
 
@@ -33,7 +33,7 @@
   copy: >
     content="{{ item.cert }}"
     dest="{{ nginx_ssl_dir + '/' + item.name + '/' + item.name + '.crt' if item.dest_cert is not defined else item.dest_cert }}"
-  with_items: nginx_ssl_pairs
+  with_items: "{{ nginx_ssl_pairs }}"
   when: item.cert is defined
   notify: reload nginx
 

tasks/upstream.yml

@@ -1,11 +1,24 @@
 ---
 
 - name: TEMPLATE | Deploy PHP upstream to Nginx
-  template: src=etc/nginx/upstream/php.conf.j2 dest=/etc/nginx/conf.d/php.conf
+  template: >
-  when: nginx_php
+    src=etc/nginx/upstream/php.conf.j2
+    dest="{{ nginx_etc_dir }}/conf.d/php.conf"
+  when: nginx_php56 or nginx_php70
   notify: reload nginx
 
 - name: TEMPLATE | Deploy other upstreams
-  template: src=etc/nginx/upstream/upstream.conf.j2 dest=/etc/nginx/conf.d/upstream-{{ item.name }}.conf
+  template: >
-  with_items: nginx_upstreams
+    src=etc/nginx/upstream/upstream.conf.j2
+    dest={{ nginx_etc_dir }}/conf.d/upstream-{{ item.name }}.conf
+  with_items: "{{ nginx_upstreams }}"
+  when: item.state is not defined or item.state == 'present'
+  notify: reload nginx
+
+- name: FILE | Delete other upstreams
+  file: >
+    path={{ nginx_etc_dir }}/conf.d/upstream-{{ item.name }}.conf
+    state=absent
+  with_items: "{{ nginx_upstreams }}"
+  when: item.state is defined and item.state == 'absent'
   notify: reload nginx

tasks/vhost.yml

@@ -1,40 +1,38 @@
 ---
 
+- name: FAIL | Check filenames
+  fail: msg="Forbidden keyword default on vhost {{ item.name if item.name is string else item.name[0] }}"
+  when: item.filename is defined and item.filename == 'default'
+  with_items: "{{ nginx_vhosts }}"
+
 - name: FAIL | Check vhost and SSL/TLS support
   fail: msg="Missmatch configuration for vhost {{ item.name if item.name is string else item.name[0] }}"
   when: >
     item.proto is defined and
     'https' in item.proto and
     item.ssl_name is not defined
-  with_items: nginx_vhosts
+  with_items: "{{ nginx_vhosts }}"
+
+- name: FAIL | Check HTTPS redir and proto
+  fail: msg="You can't have HTTP proto and HTTPS redirection at the same time"
+  when: >
+    ((item.proto is defined and 'http' in item.proto) or (item.proto is not defined)) and
+    (item.redirect_http is defined and item.redirect_http)
+  with_items: "{{ nginx_vhosts }}"
 
 - name: FILE | Create root directory
   file: >
     path={{ nginx_root }}
     state=directory
 
-- name: FILE | Create root folders (foreach nginx_vhosts)
-  file: >
-    path={{ nginx_root }}/{{ item.name if item.name is string else item.name[0] }}
-    state=directory
-    owner={{ item.owner | default('www-data') }}
-    group={{ item.group | default('www-data') }}
-    mode={{ item.mode | default('0755') }}
-  with_items: nginx_vhosts
-  when: >
-    item.root is not defined and
-    (item.template is defined and item.template not in nginx_templates_no_dir) and
-    (item.delete is not defined or not item.delete) and
-    item.redirect_to is not defined
-
 - name: FILE | Create root public folders (foreach nginx_vhosts)
   file: >
     path={{ nginx_root }}/{{ item.name if item.name is string else item.name[0] }}/public
     state=directory
-    owner={{ item.owner | default('www-data') }}
+    owner={{ item.owner | default(nginx_user) }}
-    group={{ item.group | default('www-data') }}
+    group={{ item.group | default(nginx_user) }}
     mode={{ item.mode | default('0755') }}
-  with_items: nginx_vhosts
+  with_items: "{{ nginx_vhosts }}"
   when: >
     item.root is not defined and
     (item.template is defined and item.template not in nginx_templates_no_dir) and
@@ -44,50 +42,46 @@
 - name: TEMPLATE | Create vhosts
   template: >
     src=etc/nginx/sites-available/{{ item.template if item.redirect_to is not defined else '_redirect' }}.j2
-    dest=/etc/nginx/sites-available/{{ item.name if item.name is string else item.name[0] }}
+    dest={{ nginx_etc_dir }}/sites-available/{{ item.filename | default(item.name if item.name is string else item.name[0]) }}
-  with_items: nginx_vhosts
+  with_items: "{{ nginx_vhosts }}"
-  notify: reload nginx
+  notify: ['reload nginx', 'restart nginx freebsd']
   when: item.delete is not defined or not item.delete
 
-#- name: COPY | Add index.html / index.php
-#  copy: src={{ item }} dest={{ nginx_root }}/{{ item.name }}/public/{{ item }} owner=www-data group=www-data mode=0666
-#  with_fileglob: "web/*"
-
 - name: FILE | Delete vhosts
-  file: path=/etc/nginx/sites-available/{{ item.name if item.name is string else item.name[0] }} state=absent
+  file: path={{ nginx_etc_dir }}/sites-available/{{ item.filename | default(item.name if item.name is string else item.name[0]) }} state=absent
-  with_items: nginx_vhosts
+  with_items: "{{ nginx_vhosts }}"
-  notify: reload nginx
+  notify: ['reload nginx', 'restart nginx freebsd']
   when: item.delete is defined and item.delete
 
 - name: FILE | Enable vhosts
   file: >
-    src=/etc/nginx/sites-available/{{ item.name if item.name is string else item.name[0] }}
+    src={{ nginx_etc_dir }}/sites-available/{{ item.filename | default(item.name if item.name is string else item.name[0]) }}
-    dest=/etc/nginx/sites-enabled/{{ item.name if item.name is string else item.name[0] }}
+    dest={{ nginx_etc_dir }}/sites-enabled/{{ item.filename | default(item.name if item.name is string else item.name[0]) }}
     state=link
-  with_items: nginx_vhosts
+  with_items: "{{ nginx_vhosts }}"
-  notify: reload nginx
+  notify: ['reload nginx', 'restart nginx freebsd']
   when: >
     ((item.enable is not defined) or
     (item.enable is defined and item.enable)) and
     (item.delete is not defined or not item.delete)
 
 - name: FILE | Disable vhosts
-  file: path=/etc/nginx/sites-enabled/{{ item.name if item.name is string else item.name[0] }} state=absent
+  file: path={{ nginx_etc_dir}}/sites-enabled/{{ item.filename | default(item.name if item.name is string else item.name[0]) }} state=absent
-  with_items: nginx_vhosts
+  with_items: "{{ nginx_vhosts }}"
-  notify: reload nginx
+  notify: ['reload nginx', 'restart nginx freebsd']
   when: (item.enable is defined and not item.enable) or (item.delete is defined and item.delete)
 
 - name: FILE | Delete default vhost when explicitely defined
   file: >
-    path=/etc/nginx/sites-enabled/default
+    path={{ nginx_etc_dir }}/sites-enabled/default
     state=absent
-  notify: reload nginx
+  notify: ['reload nginx', 'restart nginx freebsd']
   when: nginx_default_vhost is not none
 
 - name: FILE | Auto set default vhost
   file: >
-    src=/etc/nginx/sites-available/default
+    src={{ nginx_etc_dir }}/sites-available/default
-    dest=/etc/nginx/sites-enabled/default
+    dest={{ nginx_etc_dir }}/sites-enabled/default
     state=link
-  notify: reload nginx
+  notify: ['reload nginx', 'restart nginx freebsd']
   when: nginx_default_vhost is none

templates/etc/nginx/helper/ssl-legacy.j2

@@ -2,13 +2,11 @@
 # {{ ansible_managed }}
 #
 
-ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_prefer_server_ciphers on;
 ssl_session_cache shared:SSL:10m;
-add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"{% if nginx_version.stdout | version_compare('1.7.5', 'ge') %} always{% endif %};
-add_header X-Frame-Options DENY;
-add_header X-Content-Type-Options nosniff;
 {% if nginx_version.stdout | version_compare('1.3.7', 'ge') %}
 ssl_stapling on;
 ssl_stapling_verify on;

templates/etc/nginx/helper/ssl-strong.j2

@@ -2,13 +2,11 @@
 # {{ ansible_managed }}
 #
 
-ssl_ciphers "AES256+EECDH:AES256+EDH";
+ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_prefer_server_ciphers on;
 ssl_session_cache shared:SSL:10m;
-add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"{% if nginx_version.stdout | version_compare('1.7.5', 'ge') %} always{% endif %};
-add_header X-Frame-Options DENY;
-add_header X-Content-Type-Options nosniff;
 {% if nginx_version.stdout | version_compare('1.3.7', 'ge') %}
 ssl_stapling on;
 ssl_stapling_verify on;

templates/etc/nginx/nginx.conf.j2

@@ -14,7 +14,7 @@ events {
 
 http {
 	types_hash_max_size {{ nginx_http_types_hash_max_size }};
-	include /etc/nginx/mime.types;
+	include {{ nginx_etc_dir }}/mime.types;
 
 	default_type {{ nginx_http_default_type }};
 	access_log {{ nginx_http_access_log }};
@@ -45,8 +45,8 @@ http {
 	gzip_vary {{ nginx_http_gzip_vary }};
 	gzip_disable {{ nginx_http_gzip_disable }};
 
-	include /etc/nginx/conf.d/*.conf;
+	include {{ nginx_etc_dir }}/conf.d/*.conf;
-	include /etc/nginx/sites-enabled/*;
+	include {{ nginx_etc_dir }}/sites-enabled/*;
 }
 
 # vim:filetype=nginx

templates/etc/nginx/sites-available/_backuppc.j2

@@ -25,7 +25,7 @@
 {% block template_upstream_location %}
 	location ~ \.cgi$ {
 		gzip off;
-		include /etc/nginx/fastcgi_params;
+		include {{ nginx_etc_dir }}/fastcgi_params;
 		fastcgi_pass unix:/var/run/fcgiwrap.socket;
 		fastcgi_index BackupPC_Admin;
 		fastcgi_param SCRIPT_FILENAME /usr/share/backuppc/cgi-bin$fastcgi_script_name;

templates/etc/nginx/sites-available/_base.j2

@@ -3,6 +3,7 @@
 {% set __listen = item.listen | default(['80']) %}
 {% set __listen_ssl = item.listen_ssl | default(['443']) %}
 {% set __location = item.location | default({}) %}
+{% set __headers = item.headers | default({'X-Frame-Options': 'DENY always', 'X-Content-Type-Options': 'nosniff always' }) %}
 {% macro htpasswd(htpasswd_name, indent=1) -%}
 {% for ht in nginx_htpasswd if ht.name == htpasswd_name %}
 {{ "\t" * indent }}auth_basic "{{ ht.description }}";
@@ -30,10 +31,12 @@ server {
 {% endif %}
 {% if 'https' in __proto %}
 {% for port in __listen_ssl %}
-	listen {{ port }}{% if nginx_default_vhost_ssl == __main_name %} default_server{% endif %} ssl{% if nginx_auto_config_httpv2 and 'http_v2' in nginx_modules.stdout_lines %}http2{% endif %};
+	listen {{ port }}{% if nginx_default_vhost_ssl == __main_name %} default_server{% endif %} ssl{% if nginx_auto_config_httpv2 and 'http_v2' in nginx_modules %} http2{% endif %};
 {% endfor %}
 {{ ssl(item.ssl_name) }}
+{% if item.ssl_template is not defined or item.ssl_template != false %}
 	include {{ nginx_helper_dir + '/ssl-' + item.ssl_template | default('strong') }};
+{% endif %}
 {% endif %}
 	server_name {% if item.name is string %}{{ item.name }}{% else %}{{ item.name | join(' ') }}{% endif %};
 {% block root %}
@@ -47,16 +50,26 @@ server {
 	index {{ item.index | default('index.html index.htm') }};
 {% endblock %}
 
+{% block template_more %}
 {% if item.more is defined and item.more is iterable %}
 {% for line in item.more %}
 	{{ line }}
 {% endfor %}
 {% endif %}
+{% endblock %}
 
 {% if item.htpasswd is defined %}
 {{ htpasswd(item.htpasswd, 1) }}
 {% endif %}
 
+{% block template_headers %}
+	# --> Custom headers
+{% for key, value in __headers.iteritems() %}
+	add_header {{ key }} {{ value | replace(' always', '') }}{% if nginx_version.stdout | version_compare('1.7.5', 'ge') and ' always' in value %} always{% endif %};
+{% endfor %}
+	# <-- Custom headers
+{% endblock %}
+
 {% if not __location.has_key('/') %}
 	location / {
 {% block template_try_files %}
@@ -70,6 +83,19 @@ server {
 {% block template_custom_location %}
 {% endblock %}
 
+{% if __location is iterable and __location | length > 0 %}
+	# --> Custom locations
+{% for location, opts in __location.iteritems() %}
+	location {{ location }} {
+{% for opt in opts %}
+{% if opt.htpasswd is defined %}{{ htpasswd(opt.htpasswd, 2) }}{% else %}
+		{{ opt }}
+{% endif %}
+{% endfor  %}
+	}
+{% endfor %}	# <-- Custom locations
+{% endif %}
+
 {% block template_local_content %}
 {% if item.manage_local_content is not defined or item.manage_local_content %}
 	location ~ /\.ht {
@@ -89,31 +115,36 @@ server {
 {% endif %}
 {% endblock %}
 
-{% if __location is iterable and __location | length > 0 %}
+{% if item.use_access_log is defined %}
-	# --> Custom locations
+{% if item.use_access_log %}
-{% for location, opts in __location.iteritems() %}
-	location {{ location }} {
-{% for opt in opts %}
-{% if opt.htpasswd is defined %}{{ htpasswd(opt.htpasswd, 2) }}{% else %}
-		{{ opt }}
-{% endif %}
-{% endfor  %}
-	}
-{% endfor %}	# <-- Custom locations
-{% endif %}
-
-{% if item.use_access_log is defined and item.use_access_log %}
 	access_log {{ nginx_log_dir }}/{{ __main_name }}_access.log combined;
 {% else %}
 	access_log off;
 {% endif %}
-{% if item.use_error_log is defined and item.use_error_log %}
+{% endif %}
+{% if item.use_error_log is defined %}
+{% if item.use_error_log %}
 	error_log {{ nginx_log_dir }}/{{ __main_name }}_error.log {{ nginx_error_log_level }};
 {% else %}
 	error_log off;
 {% endif %}
+{% endif %}
 }
 
+{% if item.redirect_https is defined and item.redirect_https %}
+#
+# Redirect HTTP to HTTPS
+#
+server {
+{% for port in __listen %}
+	listen {{ port }};
+{% endfor %}
+	server_name {% if item.name is string %}{{ item.name }}{% else %}{{ item.name | join(' ') }}{% endif %};
+	return 301 https://{{ __main_name }}{% if '443' not in __listen_ssl %}:__listen_ssl[0]{% endif %}$request_uri;
+}
+{% endif %}
+
+
 {% if item.redirect_from is defined and item.redirect_from is iterable %}
 #
 # Redirect from

templates/etc/nginx/sites-available/_nagios3.j2

@@ -1,7 +1,7 @@
-{% extends "_base.j2" %}
+{% extends "_php.j2" %}
 
 {% block root %}
-	root /usr/share/nagios3/htdocs;
+	root {{ nginx_nagios_root }};
 {% endblock %}
 
 {% block template_try_files %}
@@ -11,32 +11,52 @@
 	index index.php index.html;
 {% endblock %}
 
+{% block template_headers %}
+	# --> Custom headers
+{% for key, value in __headers.iteritems() %}
+{% if key == "X-Frame-Options" %}
+	# X-Frame-Options forced by Ansible
+	add_header {{ key }} SAMEORIGIN{% if nginx_version.stdout | version_compare('1.7.5', 'ge') %} always{% endif %};
+{% else %}
+	add_header {{ key }} {{ value | replace(' always', '') }}{% if nginx_version.stdout | version_compare('1.7.5', 'ge') and ' always' in value %} always{% endif %};
+{% endif %}
+{% endfor %}
+	# <-- Custom headers
+{% endblock %}
+
+
 {% block template_local_content %}
 	location ~ /\.ht {
 		deny all;
 	}
 
 	location /stylesheets {
-		alias /etc/nagios3/stylesheets;
+{% if nginx_nagios_stylesheets is defined %}
+		alias {{ nginx_nagios_stylesheets }};
+{% endif %}
 		expires 60d;
 	}
 {% endblock %}
 
 {% block template_upstream_location %}
+{% if ansible_distribution == 'Debian' %}
 	location /cgi-bin/nagios3 {
 		root /usr/lib;
+{% elif ansible_distribution == 'FreeBSD' %}
+	location /cgi-bin {
+{% endif %}
 		try_files $uri =404;
 {% if nginx_version.stdout | version_compare('1.6.1', 'lt') %}
 		include fastcgi_params;
 {% else %}
 		include fastcgi.conf;
 {% endif %}
-		fastcgi_pass unix:/var/run/fcgiwrap.socket;
+		fastcgi_pass unix:{{ nginx_fcgiwrap_sock }};
 		fastcgi_param AUTH_USER $remote_user;
 		fastcgi_param REMOTE_USER $remote_user;
 	}
 	location ~ \.php$ {
-		fastcgi_pass php;
+		fastcgi_pass {{ php_upstream }};
 		fastcgi_index index.php;
 {% if nginx_version.stdout | version_compare('1.6.1', 'lt') %}
 		include fastcgi_params;

templates/etc/nginx/sites-available/_owncloud.j2

@@ -0,0 +1,87 @@
+{% extends "_php.j2" %}
+
+{% block root %}
+	root {{ nginx_owncloud_root }};
+{% endblock %}
+
+{% block template_index %}
+	index index.php;
+{% endblock %}
+
+{% block template_more %}
+	error_page 403 /core/templates/403.php;
+	error_page 404 /core/templates/404.php;
+	gzip off;
+	client_max_body_size 10G;
+	fastcgi_buffers 64 4K;
+	rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect;
+	rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect;
+	rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;
+{% endblock %}
+
+{% block template_headers %}
+	add_header X-XSS-Protection "1; mode=block";
+	add_header X-Robots-Tag none;
+	add_header X-Content-Type-Options nosniff;
+	add_header X-Download-Options noopen;
+	add_header X-Permitted-Cross-Domain-Policies none;
+	add_header X-Frame-Options SAMEORIGIN;
+{% endblock %}
+
+{% block template_try_files %}
+		try_files $uri $uri/ =404;
+{% endblock %}
+
+{% block template_upstream_location %}
+	location ~ /remote.php {
+		dav_methods PUT DELETE MKCOL COPY MOVE;
+		dav_ext_methods PROPFIND OPTIONS;
+		fastcgi_pass {{ php_upstream }};
+		fastcgi_param HOME {{ nginx_owncloud_root }};
+		fastcgi_param HTTP_HOME {{ nginx_owncloud_root }};
+		fastcgi_param PATH /usr/local/bin:/usr/bin:/bin;
+		fastcgi_param modHeadersAvailable true;
+		fastcgi_split_path_info ^(.+\.php)(/.+)$;
+{% if nginx_version.stdout | version_compare('1.6.1', 'lt') %}
+		include fastcgi_params;
+{% else %}
+		include fastcgi.conf;
+{% endif %}
+	}
+
+	location ~ \.php(?:$|/) {
+		fastcgi_pass {{ php_upstream }};
+		fastcgi_index index.php;
+		fastcgi_param HOME {{ nginx_owncloud_root }};
+		fastcgi_param HTTP_HOME {{ nginx_owncloud_root }};
+		fastcgi_param PATH /usr/local/bin:/usr/bin:/bin;
+		fastcgi_param modHeadersAvailable true;
+		fastcgi_split_path_info ^(.+\.php)(/.+)$;
+{% if nginx_version.stdout | version_compare('1.6.1', 'lt') %}
+		include fastcgi_params;
+{% else %}
+		include fastcgi.conf;
+{% endif %}
+	}
+{% endblock %}
+
+{% block template_local_content %}
+	location ~* \.(?:css|js)$ {
+		try_files $uri /index.php$is_args$args;
+		expires 2h;
+	}
+
+	location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$ {
+		expires 2d;
+	}
+
+	location = /robots.txt {
+		allow all;
+		log_not_found off;
+		access_log off;
+	}
+
+	location ~ ^/(?:\.ht|data|config|db_structure\.xml|README){
+		deny all;
+	}
+{% endblock %}

templates/etc/nginx/sites-available/_php.j2

@@ -1,4 +1,24 @@
 {% extends "_base.j2" %}
+
+{% macro phpv(version) %}
+{% if version == 56 %}
+{{ nginx_upstream_php56 -}}
+{% elif version == 70 %}
+{{ nginx_upstream_php70 -}}
+{% else %}
+{# Hack... define another upstream #}
+{{ version -}}
+{% endif %}
+{%- endmacro -%}
+
+{% if item.php_version is defined %}
+{% set php_upstream = phpv(item.php_version) %}
+{% elif nginx_php56 %}
+{% set php_upstream = phpv(56) %}
+{% elif nginx_php70 %}
+{% set php_upstream = phpv(70) %}
+{% endif %}
+
 {% block template_index %}
 	index {{ item.index | default('index.html index.htm index.php') }};
 {% endblock %}
@@ -9,7 +29,7 @@
 
 {% block template_upstream_location %}
 	location ~ \.php$ {
-		fastcgi_pass php;
+		fastcgi_pass {{ php_upstream }};
 		fastcgi_index index.php;
 {% if item.upstream_params is defined and item.upstream_params is iterable %}
 {% for param in item.upstream_params %}

templates/etc/nginx/sites-available/_php_index.j2

@@ -2,7 +2,7 @@
 
 {% block template_upstream_location %}
 	location = /index.php {
-		fastcgi_pass php;
+		fastcgi_pass {{ php_upstream }};
 		fastcgi_index index.php;
 {% if item.upstream_params is defined and item.upstream_params is iterable %}
 {% for param in item.upstream_params %}

templates/etc/nginx/sites-available/_proxy.j2

@@ -7,7 +7,7 @@
 {% endblock %}
 
 {% block template_try_files %}
-		include /etc/nginx/proxy_params;
+		include {{ nginx_etc_dir }}/proxy_params;
 		proxy_pass http://{{ item.upstream_name }};
 {% if item.proxy_params is defined and item.proxy_params is iterable %}
 {% for param in item.proxy_params %}

templates/etc/nginx/upstream/php.conf.j2

@@ -2,8 +2,9 @@
 # {{ ansible_managed }}
 #
 
-upstream php {
+{% if nginx_php56 %}
-{% for item in nginx_php_sockets %}
+upstream {{ nginx_upstream_php56 }} {
+{% for item in nginx_php56_sockets %}
 {% if item.unix_socket is defined %}
 	server unix:{{ item.unix_socket }} weight={{ item.weight | default('1') }};
 {% else %}
@@ -12,4 +13,18 @@ upstream php {
 {% endfor %}
 }
 
+{% endif %}
+{% if nginx_php70 %}
+upstream {{ nginx_upstream_php70 }} {
+{% for item in nginx_php70_sockets %}
+{% if item.unix_socket is defined %}
+	server unix:{{ item.unix_socket }} weight={{ item.weight | default('1') }};
+{% else %}
+	server {{ item.host }}:{{ item.port }} weight={{ item.weight | default('1') }} max_fails={{ item.max_fails | default('5') }} fail_timeout={{ item.fail_timeout | default('10s') }};
+{% endif %}
+{% endfor %}
+}
+
+{% endif %}
+
 # vim:filetype=nginx

tests/debian-wheezy.Dockerfile

@@ -1,4 +0,0 @@
-FROM williamyeh/ansible:debian7-onbuild
-
-RUN apt-get update
-CMD ["sh", "tests/test.sh"]

tests/includes/post_Debian.yml

@@ -0,0 +1,11 @@
+---
+
+- name: APT | Install web apps
+  apt: pkg={{ item }} state=present install_recommends=no
+  with_items:
+    - backuppc
+    - nagios3
+#    - owncloud
+
+- name: SERVICE | Ensure backuppc is started
+  service: name=backuppc state=started

tests/includes/post_FreeBSD.yml

@@ -0,0 +1,31 @@
+---
+
+- name: APT | Install web apps
+  pkgng: pkg={{ item }} state=present
+  with_items:
+    - nagios
+    - backuppc
+
+- name: COMMAND | Activate backuppc config
+  command: >
+    cp /usr/local/etc/backuppc/config.pl.sample /usr/local/etc/backuppc/config.pl
+    creates=/usr/local/etc/backuppc/config.pl
+
+- name: FILE | Fix backuppc permissions
+  file: >
+    path=/usr/local/etc/backuppc/config.pl
+    owner=backuppc
+    group=backuppc
+
+- name: FILE | Fix fcgiwrap permission
+  file: >
+    path={{ nginx_fcgiwrap_sock }}
+    mode=0640
+    owner={{ nginx_user }}
+    group={{ nginx_user }}
+
+#
+# We don't manage BackupPC on FreeBSD... too dirty. :/
+#
+#- name: SERVICE | Ensure backuppc is started
+#  service: name=backuppc state=started enabled=yes

tests/includes/pre_Debian.yml

@@ -0,0 +1,36 @@
+---
+
+- name: APT_REPOSITORY | Install backports
+  apt_repository: repo='deb http://httpredir.debian.org/debian {{ ansible_distribution_release }}-backports main' state=present
+
+- block:
+  - name: APT | Install DotDeb key
+    apt_key: url='http://www.dotdeb.org/dotdeb.gpg' state=present
+  - name: APT_REPOSITORY | Install dotdeb (PHP 7) 
+    apt_repository: repo='deb http://packages.dotdeb.org {{ ansible_distribution_release }} all' state=present
+  - name: LINEFILEFILE | Dotdeb priority (prevent install nginx from dotdeb)
+    copy: >
+      content="Package: *\nPin: release o=packages.dotdeb.org\nPin-Priority: 100"
+      dest=/etc/apt/preferences
+  when: ansible_distribution_release == 'jessie'
+
+- name: APT | Install needed packages
+  apt: pkg={{ item }} update_cache=yes cache_valid_time=3600 state=present
+  with_items:
+    - curl
+    - fcgiwrap
+    - nghttp2
+    - php5-fpm
+    - php5-sqlite
+    - php7.0-fpm
+    - php7.0-sqlite3
+    - strace
+    - vim
+
+- name: SERVICE | Force start services
+  service: name={{ item }} state=started
+  register: sf
+  with_items:
+    - php5-fpm
+    - php7.0-fpm
+    - fcgiwrap

tests/includes/pre_FreeBSD.yml

@@ -0,0 +1,25 @@
+---
+
+- name: SET_FACT | FreeBSD web user
+  set_fact:
+    nginx_pkgng_package: 'nginx-devel'
+    nginx_user: 'www'
+    nginx_php70: false
+    nginx_php56_sockets:
+      - host: '127.0.0.1'
+        port: 9000
+
+- name: PKGNG | Install needed packages
+  pkgng: pkg={{ item }} state=present
+  with_items:
+    - php56
+    - curl
+    - fcgiwrap
+    - nghttp2
+
+- name: SERVICE | Force start services
+  service: name={{ item }} state=started enabled=yes
+  register: sf
+  with_items:
+    - php-fpm
+    - fcgiwrap

tests/inventory

@@ -1 +0,0 @@
-localhost

tests/test.sh

@@ -3,19 +3,18 @@
 # Thanks to https://servercheck.in/blog/testing-ansible-roles-travis-ci-github
 
 DIR=$( dirname $0 )
-INVENTORY_FILE="$DIR/inventory"
 PLAYBOOK="$DIR/test.yml"
 
 set -ev
 
 # Check syntax
-ansible-playbook -i $INVENTORY_FILE -c local --syntax-check -vv $PLAYBOOK
+ansible-playbook -i localhost, -c local --syntax-check -vv $PLAYBOOK
 
 # Check role
-ansible-playbook -i $INVENTORY_FILE -c local --sudo -vv $PLAYBOOK
+ansible-playbook -i localhost, -c local --sudo -vv $PLAYBOOK
 
 # Check indempotence
-ansible-playbook -i $INVENTORY_FILE -c local --sudo -vv $PLAYBOOK \
+ansible-playbook -i localhost, -c local --sudo -vv $PLAYBOOK \
 | grep -q 'changed=0.*failed=0' \
 && (echo 'Idempotence test: pass' && exit 0) \
 || (echo 'Idempotence test: fail' && exit 1)

tests/test.yml

@@ -2,23 +2,8 @@
 
 - hosts: all
   pre_tasks:
-    - name: APT_REPOSITORY | Install backports
+    - name: INCLUDE | Pre_tasks related to OS version
-      apt_repository: repo='deb http://httpredir.debian.org/debian {{ ansible_distribution_release }}-backports main' state=present
+      include: "includes/pre_{{ ansible_distribution }}.yml"
-    - name: APT | Install needed packages
-      apt: pkg={{ item }} update_cache=yes cache_valid_time=3600 state=present
-      with_items:
-        - php5-fpm
-        - curl
-        - fcgiwrap
-    - name: SERVICE | Force start services
-      service: name={{ item }} state=started
-      register: sf
-      with_items:
-        - php5-fpm
-        - fcgiwrap
-    - name: PAUSE | Prevent bugs (CGI not fully loaded)
-      pause: seconds=5
-      when: sf.changed
     - name: FILE | Create an internal SSL dir
       file: path={{ int_ansible_ssl_dir }} state=directory
     - name: COPY | Deploy test certificate
@@ -29,8 +14,11 @@
 # Internal vars
     int_ansible_ssl_dir: '/etc/ansible-ssl'
 # Role vars
+    nginx_worker_processes: 1 # Ansible+FreeBSD can't detect CPU number
+    nginx_apt_package: 'nginx-extras'
     nginx_backports: true
-    nginx_php: true
+    nginx_php56: true
+    nginx_php70: true
     nginx_upstreams:
       - name: 'test'
         servers:
@@ -38,6 +26,13 @@
             max_conns: 150
             weight: 10
             down: false
+      - name: 'test-absent'
+        servers:
+          - path: '127.0.0.1:80'
+            max_conns: 150
+            weight: 10
+            down: false
+        state: 'absent'
     nginx_htpasswd:
       - name: 'hello'
         description: 'Please login!'
@@ -119,23 +114,30 @@
           - 'test-alias.local'
           - 'test2-alias.local'
         template: '_base'
+        filename : 'first-test'
         override_try_files: '$uri $uri index.htm index.html'
+        headers:
+          'X-Frame-Options': 'deny always'
+          'X-ansible-default': '1'
         manage_local_content: false
+        use_error_log: false
         more:
           - 'autoindex off;'
-          - 'add_header X-ansible-default 1;'
         location:
           '/test':
             - 'return 403;'
           '/gunther':
             - 'return 404;'
+          '/status':
+            - 'stub_status on;'
+            - 'access_log off;'
+            - 'allow 127.0.0.1;'
+            - 'deny all;'
       - name: 'test-htpasswd.local'
         template: '_base'
         location:
           '/hello':
             - htpasswd: 'hello'
-            - 'default_type "text/html; charset=UTF-8";'
-            - 'echo hello;'
       - name: 'test-htpasswd-all.local'
         template: '_base'
         htpasswd: 'hello'
@@ -145,11 +147,14 @@
           '/':
             - 'alias /var/tmp;'
       - name: 'test-php.local'
+        php_version: 70
         upstream_params:
           - 'fastcgi_param FOO bar;'
         redirect_from:
           - 'www.test-php.local'
         template: '_php'
+        use_error_log: true
+        use_access_log: true
       - name: 'test-php-index.local'
         template: '_php_index'
       - name: 'test-proxy.local'
@@ -157,8 +162,8 @@
           - 8080
         template: '_proxy'
         upstream_name: 'test'
-        more:
+        headers:
-          - 'add_header X-proxyfied 1;'
+          'X-proxyfied': '1'
       - name: 'deleted.local'
         delete: true
       - name: 'redirect-to.local'
@@ -177,8 +182,16 @@
         proto: ['http', 'https']
         template: '_base'
         ssl_name: 'test-ssl-predeployed.local'
-        more:
+        headers:
-          - 'add_header X-ansible-default 1;'
+          'X-ansible-default': '1'
+        ssl_template: false
+      - name: 'test-ssl-redirect.local'
+        proto: ['https']
+        template: '_base'
+        ssl_name: 'test-ssl.local'
+        redirect_https: true
+#      - name: 'owncloud.local'
+#        template: '_owncloud'
     nginx_dh_length: 1024
   roles:
     - ../../
@@ -186,14 +199,8 @@
 # --------------------------------
 # Apps
 # --------------------------------
-    - name: APT | Install web apps
+    - name: INCLUDE | Post_tasks related to OS version
-      apt: pkg={{ item }} state=present
+      include: "includes/post_{{ ansible_distribution }}.yml"
-      with_items:
-        - nagios3
-        - backuppc
-    - name: SERVICE | Ensure backuppc is started
-      service: name=backuppc state=started
-
 # --------------------------------
 # Deploy index files
 # --------------------------------
@@ -203,13 +210,16 @@
     - name: -- Add HTML file --
       copy: dest="{{ item }}/index.html" content="Index HTML test OK\n"
       with_items: ['{{ nginx_root }}/test.local/public', '/var/tmp', '{{ nginx_root }}/test-htpasswd-all.local/public', '{{ nginx_root }}/test-ssl.local/public', '{{ nginx_root }}/test-ssl-predeployed.local/public']
-
+    - name: -- Create directory --
+      file: path={{ nginx_root }}/test-htpasswd.local/public/hello state=directory
+    - name: -- Add HTML file hello --
+      copy: dest="{{ nginx_root }}/test-htpasswd.local/public/hello/index.html" content="hello\n"
 # --------------------------------
 # Simple vhosts tests
 # --------------------------------
     - name: -- VERIFY VHOSTS --
       command: "curl -H 'Host: {{ item.name if item.name is string else item.name[0] }}' http://127.0.0.1{% if item.listen is defined %}:{{ item.listen[0] }}{% endif %}/"
-      with_items: nginx_vhosts
+      with_items: "{{ nginx_vhosts }}"
       when: item.delete is undefined or not item.delete
       changed_when: false
     - name: -- VERIFY FORBIDDEN --
@@ -219,7 +229,7 @@
       changed_when: false
     - name: -- VERIFY REDIRECT VHOSTS --
       command: "curl -H 'Host: {{ item.redirect_from[0] }}' http://127.0.0.1/"
-      with_items: nginx_vhosts
+      with_items: "{{ nginx_vhosts }}"
       when: item.redirect_from is defined and (item.delete is undefined or not item.delete)
       changed_when: false
       register: r
@@ -235,21 +245,35 @@
       failed_when: p.stdout.find('PHP Version') == -1
       with_items: ['test-php.local', 'test-php-index.local']
 
+    - name: -- VERIFY PHP5 VHOSTS (implicit default) --
+      command: "curl -H 'Host: {{ item }}' http://127.0.0.1/"
+      register: p
+      changed_when: false
+      failed_when: p.stdout.find('PHP Version 5') == -1
+      with_items: ['test-php-index.local']
+
+    - name: -- VERIFY PHP7 VHOSTS --
+      command: "curl -H 'Host: {{ item }}' http://127.0.0.1/"
+      register: p
+      changed_when: false
+      failed_when: p.stdout.find('PHP Version 7') == -1
+      with_items: ['test-php.local']
+
 # --------------------------------
 # Basic Auth
 # --------------------------------
     - name: -- VERIFY AUTH BASIC NONE --
-      command: "curl -H 'Host: test-htpasswd.local' http://127.0.0.1/hello"
+      command: "curl -H 'Host: test-htpasswd.local' http://127.0.0.1/hello/"
       changed_when: false
       register: authnone
       failed_when: authnone.stdout.find('401 Authorization Required') == -1
     - name: -- VERIFY AUTH BASIC FAIL --
-      command: "curl -u fail:fail -H 'Host: test-htpasswd.local' http://127.0.0.1/hello"
+      command: "curl -u fail:fail -H 'Host: test-htpasswd.local' http://127.0.0.1/hello/"
       changed_when: false
       register: authfail
       failed_when: authfail.stdout.find('401 Authorization Required') == -1
     - name: -- VERIFY AUTH BASIC OK --
-      command: "curl -u hanx:qwerty -H 'Host: test-htpasswd.local' http://127.0.0.1/hello"
+      command: "curl -u hanx:qwerty -H 'Host: test-htpasswd.local' http://127.0.0.1/hello/"
       changed_when: false
       register: authok
       failed_when: authok.stdout.find('hello') == -1
@@ -272,6 +296,7 @@
       changed_when: false
       register: authbpc
       failed_when: authbpc.stdout.find('BackupPC Server Status') == -1
+      when: ansible_distribution != 'FreeBSD'
 
 # --------------------------------
 # Nagios
@@ -282,11 +307,32 @@
       register: nagios_php
       failed_when: nagios_php.stdout.find('Nagios Core') == -1
     - name: -- VERIFY NAGIOS3 CGI --
-      command: "curl -u nagiosadmin:nagios -H 'Host: nagios3.local' http://127.0.0.1/cgi-bin/nagios3/summary.cgi"
+      command: "curl -u nagiosadmin:nagios -H 'Host: nagios3.local' http://127.0.0.1/cgi-bin{% if ansible_distribution == 'Debian' %}/nagios3{% endif %}/summary.cgi"
       changed_when: false
       register: nagios_cgi
       failed_when: nagios_cgi.stdout.find('Nagios Event Summary') == -1
 
+# --------------------------------
+# Owncloud
+# --------------------------------
+#    - block:
+#      - name: -- VERIFY OWNCLOUD --
+#        command: "curl -H 'Host: owncloud.local' http://127.0.0.1/"
+#        changed_when: false
+#        register: ownsimple
+#        failed_when: ownsimple.stdout.find('ownCloud') == -1
+#      - name: -- VERIFY OWNCLOUD JS (FROM PHP)--
+#        command: "curl -H 'Host: owncloud.local' http://127.0.0.1/index.php/core/js/oc.js"
+#        changed_when: false
+#        register: ownjsphp
+#        failed_when: ownjsphp.stdout.find('var oc_debug=false') == -1
+#      - name: -- VERIFY OWNCLOUD JS --
+#        command: "curl -H 'Host: owncloud.local' http://127.0.0.1/core/js/js.js"
+#        changed_when: false
+#        register: ownjs
+#        failed_when: ownjs.stdout.find('var oc_debug') == -1
+#      when: ansible_distribution != 'FreeBSD'
+
 # --------------------------------
 # SSL
 # --------------------------------
@@ -298,6 +344,15 @@
       with_items:
         - 'test-ssl-predeployed.local'
         - 'test-ssl.local'
+    - name: -- VERIFY SSL REDIRECT --
+      command: "curl -v --insecure -H 'Host: {{ item }}' http://127.0.0.1/"
+      changed_when: false
+      register: sslredirok
+      failed_when: >
+        sslredirok.stderr.find('< Location') == -1 and
+        sslredirok.stderr.find('https://{{ item }}/') == -1
+      with_items:
+        - 'test-ssl-redirect.local'
 
 # --------------------------------
 # Default vhosts
@@ -326,3 +381,20 @@
       changed_when: false
       register: notdefaultssl
       failed_when: notdefaultssl.stderr.find('X-ansible-default') != -1
+    - name: -- VERIFY DEFAULT VHOST + STUB_STATUS --
+      command: "curl -v http://127.0.0.1/status"
+      changed_when: false
+      register: vdefault_status
+      failed_when: >
+        vdefault_status.stderr.find('X-ansible-default') == -1 or
+        vdefault_status.stdout.find('Active connections') == -1
+
+# --------------------------------
+# Check HTTP2
+# --------------------------------
+    - name: SHELL | Check HTTP2
+      shell: nghttp -nv https://localhost 2> /dev/null | grep -q h2
+      args:
+        executable: /bin/sh
+      changed_when: false
+      when: nginx_auto_config_httpv2 and 'http_v2' in nginx_modules

vars/Debian.yml

@@ -0,0 +1,8 @@
+nginx_events_use: 'epoll'
+nginx_pid: '/run/nginx.pid'
+nginx_etc_dir: '/etc/nginx'
+
+# Specific vhosts
+nginx_nagios_root: '/usr/share/nagios3/htdocs'
+nginx_nagios_stylesheets: '/etc/nagios3/stylesheets'
+nginx_fcgiwrap_sock: '/var/run/fcgiwrap.socket'

vars/FreeBSD.yml

@@ -0,0 +1,7 @@
+nginx_events_use: 'kqueue'
+nginx_pid: '/var/run/nginx.pid'
+nginx_etc_dir: '/usr/local/etc/nginx'
+
+# Specific vhosts
+nginx_nagios_root: '/usr/local/www/nagios'
+nginx_fcgiwrap_sock: '/var/run/fcgiwrap/fcgiwrap.sock'

vars/main.yml

@@ -28,6 +28,10 @@ nginx_dirs:
   - "{{ nginx_helper_dir }}"
 
 nginx_templates_no_dir:
-  - '_proxy'
-  - '_nagios3'
   - '_backuppc'
+  - '_nagios3'
+  - '_owncloud'
+  - '_proxy'
+
+nginx_upstream_php56: 'php56'
+nginx_upstream_php70: 'php70'