Drop check legacy nginx version

It overwrited ngrok binary on Debian

.gitignore

@@ -1,3 +1,4 @@
 .vagrant*
 *.swp
 *.retry
+*.pyc

.travis.yml

@@ -1,16 +1,57 @@
 env:
-  - PLATFORM=debian-wheezy
-  - PLATFORM=debian-jessie
+  - PLATFORM='docker-debian-jessie'           ANSIBLE_VERSION='ansible>=2.2,<2.3'
+  - PLATFORM='docker-debian-jessie-backports' ANSIBLE_VERSION='ansible>=2.2,<2.3'
+  - PLATFORM='docker-debian-jessie-dotdeb'    ANSIBLE_VERSION='ansible>=2.2,<2.3'
+  - PLATFORM='docker-debian-jessie'           ANSIBLE_VERSION='ansible>=2.3,<2.4'
+  - PLATFORM='docker-debian-jessie-backports' ANSIBLE_VERSION='ansible>=2.3,<2.4'
+  - PLATFORM='docker-debian-jessie-dotdeb'    ANSIBLE_VERSION='ansible>=2.3,<2.4'
+  - PLATFORM='docker-debian-stretch'          ANSIBLE_VERSION='ansible>=2.3,<2.4'
+  - PLATFORM='docker-debian-stretch-sury'     ANSIBLE_VERSION='ansible>=2.3,<2.4'
+  - PLATFORM='docker-debian-jessie'           ANSIBLE_VERSION='ansible>=2.4,<2.5'
+  - PLATFORM='docker-debian-jessie-backports' ANSIBLE_VERSION='ansible>=2.4,<2.5'
+  - PLATFORM='docker-debian-jessie-dotdeb'    ANSIBLE_VERSION='ansible>=2.4,<2.5'
+  - PLATFORM='docker-debian-stretch'          ANSIBLE_VERSION='ansible>=2.4,<2.5'
+  - PLATFORM='docker-debian-stretch-sury'     ANSIBLE_VERSION='ansible>=2.4,<2.5'
+  - PLATFORM='docker-debian-jessie'           ANSIBLE_VERSION='ansible>=2.5b,<2.6'
+  - PLATFORM='docker-debian-jessie-backports' ANSIBLE_VERSION='ansible>=2.5b,<2.6'
+  - PLATFORM='docker-debian-jessie-dotdeb'    ANSIBLE_VERSION='ansible>=2.5b,<2.6'
+  - PLATFORM='docker-debian-stretch'          ANSIBLE_VERSION='ansible>=2.5b,<2.6'
+  - PLATFORM='docker-debian-stretch-sury'     ANSIBLE_VERSION='ansible>=2.5b,<2.6'
+
+matrix:
+  allow_failures:
+    - env: PLATFORM='docker-debian-jessie'           ANSIBLE_VERSION='ansible>=2.5b,<2.6'
+    - env: PLATFORM='docker-debian-jessie-backports' ANSIBLE_VERSION='ansible>=2.5b,<2.6'
+    - env: PLATFORM='docker-debian-jessie-dotdeb'    ANSIBLE_VERSION='ansible>=2.5b,<2.6'
+    - env: PLATFORM='docker-debian-stretch'          ANSIBLE_VERSION='ansible>=2.5b,<2.6'
+    - env: PLATFORM='docker-debian-stretch-sury'     ANSIBLE_VERSION='ansible>=2.5b,<2.6'
+
+  fast_finish: true
 
 sudo: required
 
+dist: trusty
+
 language: python
 
 services:
   - docker
 
+before_install:
+  - wget https://releases.hashicorp.com/vagrant/2.0.1/vagrant_2.0.1_x86_64.deb
+  - sudo dpkg -i vagrant_2.0.1_x86_64.deb
+
+install:
+  - pip install "$ANSIBLE_VERSION"
+
 script:
-  - docker build -f tests/$PLATFORM.Dockerfile -t test-$PLATFORM . && docker run --name $PLATFORM test-$PLATFORM
+  - VAGRANT_DEFAULT_PROVIDER=docker vagrant up $PLATFORM
+  - >
+    VAGRANT_DEFAULT_PROVIDER=docker vagrant provision $PLATFORM
+    | grep -q 'changed=0.*failed=0'
+    && (echo 'Idempotence test: pass' && exit 0)
+    || (echo 'Idempotence test: fail' && exit 1)
+  - VAGRANT_DEFAULT_PROVIDER=docker vagrant status
 
 notifications:
   webhooks: https://galaxy.ansible.com/api/v1/notifications/

README.md

@@ -1,18 +1,31 @@
 Nginx for Debian/FreeBSD Ansible role
 =====================================
 
-[![Ansible Galaxy](http://img.shields.io/badge/ansible--galaxy-HanXHX.nginx-blue.svg)](https://galaxy.ansible.com/list#/roles/4399) [![Build Status](https://travis-ci.org/HanXHX/ansible-nginx.svg?branch=master)](https://travis-ci.org/HanXHX/ansible-nginx)
+[![Ansible Galaxy](http://img.shields.io/badge/ansible--galaxy-HanXHX.nginx-blue.svg)](https://galaxy.ansible.com/HanXHX/nginx/) [![Build Status](https://travis-ci.org/HanXHX/ansible-nginx.svg?branch=master)](https://travis-ci.org/HanXHX/ansible-nginx)
 
 Install and configure Nginx on Debian/FreeBSD.
 
 Features:
 
 - SSL/TLS "hardened" support
-- Manage basic auth on vhost / location
+- Manage basic auth on site / location
 - Proxy + Upstream
 - Fast PHP configuration
-- Preconfigured vhost templates (should work on many app)
-- Auto-configure HTTP2 on SSL/TLS vhosts
+- Preconfigured site templates (should work on many app)
+- Auto-configure HTTP2 on SSL/TLS sites
+- Manage dynamic modules (install and loading)
+- Deploy custom facts.d with sites config
+- Can listen with proxy protocol
+- Generate certificates with acme.sh (let's encrypt) -- *EXPERIMENTAL*
+
+Supported OS:
+
+| OS                 | Working | Stable (active support) |
+| ------------------ | ------- | ----------------------- |
+| Debian Jessie (8)  | Yes     | Yes                     |
+| Debian Stretch (9) | Yes     | Yes                     |
+| FreeBSD 11         | Yes     | No                      |
+| FreeBSD 12         | Yes     | No                      |
 
 Requirements
 ------------
@@ -40,6 +53,7 @@ FreeBSD:
 - `nginx_resolver`: list of DNS resolver (default: OpenDNS)
 - `nginx_error_log_level`: default log level
 - `nginx_auto_config_httpv2`: boolean, auto configure HTTP2 where possible
+- `nginx_fastcgi_fix_realpath`: boolean, use realpath for fastcgi (fix problems with symlinks and PHP opcache)
 
 ### Nginx Configuration
 
@@ -49,11 +63,22 @@ FreeBSD:
 - `nginx_events_*`: all variables in events block
 - `nginx_http_*`: all variables in http block
 - `nginx_custom_http`: instructions list (will put data in `/etc/nginx/conf.d/custom.conf`)
+- `nginx_module_packages`: package list module to install (Debian)
+- `nginx_load_modules`: module list to load (full path), should be used only on FreeBSD
+
+### Misc
+
+- `nginx_debug_role`: set _true_ if you need to see output of no\_log tasks 
+
+About modules
+-------------
+
+Last updates from Debian backports loads modules from /etc/nginx/modules-enabled directory. Disabling/Enabling is not supported anymore. Please wait further update.
 
 Fine configuration
 ------------------
 
-[Vhost configuration](doc/vhost.md)
+[Site configuration](doc/site.md)
 
 [PHP configuration](doc/php.md)
 
@@ -65,6 +90,7 @@ Fine configuration
 
 [FreeBSD](doc/freebsd.md)
 
+[acme.sh](doc/acme.md)
 
 Note
 ----
@@ -88,6 +114,19 @@ License
 
 GPLv2
 
+
+Donation
+--------
+
+If this code helped you, or if you’ve used them for your projects, feel free to buy me some :beers:
+
+- Bitcoin: `1BQwhBeszzWbUTyK4aUyq3SRg7rBSHcEQn`
+- Ethereum: `63abe6b2648fd892816d87a31e3d9d4365a737b5`
+- Litecoin: `LeNDw34zQLX84VvhCGADNvHMEgb5QyFXyD`
+- Monero: `45wbf7VdQAZS5EWUrPhen7Wo4hy7Pa7c7ZBdaWQSRowtd3CZ5vpVw5nTPphTuqVQrnYZC72FXDYyfP31uJmfSQ6qRXFy3bQ`
+
+No crypto-currency? :star: the project is also a way of saying thank you! :sunglasses:
+
 Author Information
 ------------------
 

Vagrantfile

@@ -6,51 +6,78 @@
 Vagrant.configure("2") do |config|
 
   vms_debian = [
-    [ "debian-wheezy", "debian/wheezy64" ],
-    [ "debian-jessie", "debian/jessie64" ],
-    [ "debian-stretch", "sharlak/debian_stretch_64" ],
+    { :name => "debian-jessie", :box => "debian/jessie64", :vars => { "nginx_php": [{"version": "5.6"}] }},
+    { :name => "debian-jessie-backports", :box => "debian/jessie64", :vars => { "nginx_php": [{"version": "5.6"}], "nginx_backports": true }},
+    { :name => "debian-jessie-dotdeb", :box => "debian/jessie64", :vars => { "nginx_php": [{"version": "7.0"}, {"version": "5.6", "upstream_name": "legacy"} ], "dotdeb": true }},
+    { :name => "debian-stretch", :box => "debian/stretch64", :vars => { "nginx_php": [{"version": "7.0"}] }},
+    { :name => "debian-stretch-sury", :box => "debian/stretch64", :vars => { "nginx_php": [{"version": "7.1"}], "sury": true }}
   ]
 
   vms_freebsd = [
-    [ "freebsd-10.2", "freebsd/FreeBSD-10.2-STABLE" ]
+    { :name => "freebsd-11", :box => "freebsd/FreeBSD-11.1-STABLE",  :vars => {} },
+    { :name => "freebsd-12", :box => "freebsd/FreeBSD-12.0-CURRENT", :vars => {} }
   ]
 
-  config.vm.provider "virtualbox" do |v|
+  conts = [
+    { :name => "docker-debian-jessie", :docker => "hanxhx/vagrant-ansible:debian8", :vars => { "nginx_php" => [{"version" => "5.6"}] }},
+    { :name => "docker-debian-jessie-backports", :docker => "hanxhx/vagrant-ansible:debian8", :vars => { "nginx_php": [{"version": "5.6"}], "nginx_backports": true }},
+    { :name => "docker-debian-jessie-dotdeb", :docker => "hanxhx/vagrant-ansible:debian8", :vars => { "nginx_php": [{"version": "7.0"}, {"version": "5.6", "upstream_name": "legacy"} ], "dotdeb": true }},
+    { :name => "docker-debian-stretch", :docker => "hanxhx/vagrant-ansible:debian9", :vars => { "nginx_php": [{"version": "7.0"}] }},
+    { :name => "docker-debian-stretch-sury", :docker => "hanxhx/vagrant-ansible:debian9", :vars => { "nginx_php": [{"version": "7.1"}], "sury": true }}
+  ]
+
+  config.vm.network "private_network", type: "dhcp"
+  config.vm.synced_folder ".", "/vagrant", id: "vagrant-root", disabled: true
+
+  conts.each do |opts|
+    config.vm.define opts[:name] do |m|
+      m.vm.provider "docker" do |d|
+        d.image = opts[:docker]
+        d.remains_running = true
+        d.has_ssh = true
+      end
+      m.vm.provision "ansible" do |ansible|
+        ansible.playbook = "tests/test.yml"
+        ansible.verbose = 'vv'
+        ansible.become = true
+        ansible.extra_vars = opts[:vars].merge({ "nginx_debug_role": true })
+      end
+    end
+  end
+
+  vms_debian.each do |opts|
+    config.vm.define opts[:name] do |m|
+      m.vm.box = opts[:box]
+      m.vm.provider "virtualbox" do |v|
         v.cpus = 1
         v.memory = 256
       end
-
-  vms_debian.each do |vm|
-    config.vm.define vm[0] do |m|
-      m.vm.box = vm[1]
-      m.vm.network "private_network", type: "dhcp"
       m.vm.provision "ansible" do |ansible|
         ansible.playbook = "tests/test.yml"
-        ansible.groups = { "test" => [ vm[0] ] }
         ansible.verbose = 'vv'
-        ansible.sudo = true
+        ansible.become = true
+        ansible.extra_vars = opts[:vars].merge({ "nginx_debug_role": true })
       end
     end
   end
-  # See: https://forums.freebsd.org/threads/52717/
-  vms_freebsd.each do |vm|
-    config.vm.define vm[0] do |m|
-      m.vm.box = vm[1]
-      m.vm.network "private_network", type: "dhcp"
-      m.vm.guest = :freebsd
-      m.vm.synced_folder ".", "/vagrant", id: "vagrant-root", disabled: true
-      m.ssh.shell = "sh"
-      m.vm.base_mac = "080027D14C66"
+
+  vms_freebsd.each do |opts|
+    config.vm.base_mac = "080027D14C66"
+    config.vm.define opts[:name] do |m|
+      m.vm.box = opts[:box]
+      m.vm.provider "virtualbox" do |v, override|
+        override.ssh.shell = "csh"
+        v.cpus = 2
+        v.memory = 512
+      end
       m.vm.provision "shell", inline: "pkg install -y python bash"
       m.vm.provision "ansible" do |ansible|
         ansible.playbook = "tests/test.yml"
-        ansible.groups = { "test" => [ vm[0] ] }
         ansible.verbose = 'vv'
-        ansible.sudo = true
-        ansible.extra_vars = {
-          ansible_python_interpreter: '/usr/local/bin/python'
-        }
+        ansible.become = true
+        ansible.extra_vars = opts[:vars].merge({ "nginx_debug_role": true, "ansible_python_interpreter": '/usr/local/bin/python' })
       end
     end
   end
+
 end

defaults/main.yml

@@ -16,8 +16,9 @@ nginx_resolver_valid: '300s'
 nginx_resolver_timeout: '5s'
 nginx_error_log_level: 'warn' # http://nginx.org/en/docs/ngx_core_module.html#error_log
 nginx_auto_config_httpv2: true
-nginx_default_vhost: null
-nginx_default_vhost_ssl: null
+nginx_default_site: null
+nginx_default_site_ssl: null
+nginx_fastcgi_fix_realpath: true
 
 #
 # Nginx directories
@@ -31,10 +32,7 @@ nginx_helper_dir: '{{ nginx_etc_dir}}/helper'
 #
 
 # PHP
-nginx_php: false
-nginx_php_sockets:
-  - unix_socket: "/var/run/php5-fpm.sock"
-nginx_upstreams: []
+nginx_php: []
 
 #
 # Nginx configuration
@@ -87,9 +85,14 @@ nginx_http_gzip_disable: '"msie6"'
 nginx_custom_http: []
 
 #
-# Vhosts
+# Sites
 #
-nginx_vhosts: []
+nginx_sites: []
+
+#
+# Upstreams
+#
+nginx_upstreams: []
 
 #
 # htpasswd
@@ -101,9 +104,28 @@ nginx_htpasswd: []
 #
 nginx_ssl_pairs: []
 
+#
+# Dynamic modules
+#
+nginx_module_packages: []
+nginx_load_modules: []
+
 #
 # Diffie-Hellman
 #
 nginx_dh: null
 nginx_dh_path: '{{ nginx_ssl_dir }}/dhparam.pem'
 nginx_dh_length: 2048
+
+#
+# acme.sh
+#
+nginx_acmesh: false
+nginx_acmesh_dir: "/opt/acme.sh"
+nginx_acmesh_git_dir: "/tmp/acme.sh"
+nginx_acmesh_test: false
+
+#
+# Debug
+#
+nginx_debug_role: false

doc/acme.md

@@ -0,0 +1,15 @@
+acme.sh
+=======
+
+Notes
+-----
+
+This feature is experimental.
+
+Variables
+---------
+
+- `nginx_acmesh`: (bool) Enable/Disable acme.sh feature
+- `nginx_acmesh_dir`: (string) Install directory
+- `nginx_acmesh_git_dir`: (string) Git directory (removed after install)
+- `nginx_acmesh_test`: (bool) If set to true (default false), uses test mode

doc/auth.md

@@ -1,10 +1,15 @@
 Auth Basic management
 =====================
 
+IMPORTANT
+---------
+
+If you use this feature with Debian Stretch, you *MUST* use ansible >= 2.3.2! See: [https://github.com/HanXHX/ansible-nginx/issues/28](#28).
+
 Description
 -----------
 
-Auth basic is managed in a separate list. Each auth file can be shared between locations or vhosts.
+Auth basic is managed in a separate list. Each auth file can be shared between locations or sites.
 
 Each htpasswd has few keys:
 
@@ -19,8 +24,8 @@ Example
 -------
 
 ```yaml
-nginx_vhosts:
-# htpasswd on all vhost
+nginx_sites:
+# htpasswd on all site
   - name: test.local
     htpasswd: 'hello'
     template: '_base'

doc/freebsd.md

@@ -1,4 +1,18 @@
 Freebsd
 =======
 
+Limitations
+-----------
+
 Due to Ansible + FreeBSD limitations (`ansible_processor_vcpus`), You must explicitely set `nginx_worker_processes`.
+
+About modules
+-------------
+
+Dynamic modules must be set with full path (see `nginx_load_modules` path).
+
+Sites not tested
+----------------
+
+- BackupPC
+- Nagios

doc/php.md

@@ -1,18 +1,23 @@
 PHP
 ===
 
-- `nginx_php`: boolean if you need to preconfigure PHP (default: false)
-- `nginx_php_sockets`: list of sockets (see bellow)
+`nginx_php`:
+  - `version`: (M) PHP version
+  - `upstream_name` (O)
+  - `sockets`: (O) socket list
+
+If `sockets` is not provided, if uses local unix socket (based on PHP version).
 
 You should see [Nginx upstream module doc](http://nginx.org/en/docs/http/ngx_http_upstream_module.html).
 
 Each socket have:
 
-- `unix_socket`
+- `unix`
+
+XOR
+
 - `host`
 - `port`
 - `weight`
 - `max_fails`
 - `fail_timeout`
-
-With default configuration, it works fine with PHP-FPM. But if you install PHP7 with Dotdeb, path changed between version, you must set well this list.

doc/site.md

@@ -1,32 +1,35 @@
-Vhost management
-================
+Site management
+===============
 
 You can see many examples in: [tests/test.yml](../tests/test.yml).
 
-`nginx_vhosts`: List of dict. A vhost has few keys. See bellow.
+`nginx_sites`: List of dict. A site has few keys. See bellow.
 
 Common
 ------
 
 - `name`: (M) Domain or list of domain used.
-- `template`: (D) template used to create vhost. Optional if you set `delete` to true or using `redirect_tor`.
-- `filename`: (O) Specify filename in /etc/nginx/sites-*. Do NOT specify default (reserved keyword).
-- `enable`: (O) Enable the vhost (default is true)
-- `delete`: (O) Delete the vhost (default is false)
+- `template`: (D) template used to create site. Optional if you set `state`=`absent` or using `redirect_to`.
+- `filename`: (O) Specify filename in /etc/nginx/sites-*. Do NOT specify default (reserved keyword). It will be used for log filenames and directories creation.
+- `state`: (O) Site status. Can be "present" (default), "absent" and "disabled".
 - `redirect_from`: (O) Domain list to redirect to the first `name`. You can use this key to redirect non-www to www
 - `redirect_to`: (O) Redirect all requests to this domain. Please set scheme (http:// or https:// or $sheme).
 - `headers`: (O) Set additionals header as key/value list. You can append "always" to the value. Show [nginx doc](http://nginx.org/en/docs/http/ngx_http_headers_module.html).
 - `redirect_to_code`: Redirect code (default: 302)
 - `redirect_https`: (O) Boolean. Redirect HTTP to HTTPS. If "true", you _MUST_ set `proto` to ```['https']```.
 - `location`: (O) Add new custom locations (it does not overwrite!)
+- `location_order`: (O) Due to non preditive `location` order, you can provide the good order (see test-location.local in [tests/test.yml](../tests/test.yml)).
 - `more`: (O) Add more custom infos.
 - `upstream_params`: (O) Add upstream params (useful when you want to pass variables to PHP)
 - `override_try_files`: (O) overrides default try\_files defined in template
 - `manage_local_content`: (O) Boolean. Set to false if you do not want to manage local content (images, css...). This option is useless if you use `_proxy` template or `redirect_to` feature.
-- `htpasswd`: (O) References name key in `nginx_htpasswd`. Enable auth basic on all vhost.
+- `htpasswd`: (O) References name key in `nginx_htpasswd`. Enable auth basic on all site. Set "false" to disable.
 - `proto`: (O) list of protocol used. Default is a list with "http". If you need http and https, you must set a list with "http" and "https". You can only set "https" without http support.
-- `ssl_name`: (D) name of the key used when using TLS/SSL. Mandatory when `proto` contains "https"
+- `ssl_name`: (D) name of the key used when using TLS/SSL. Optional when `proto` contains "https". If you don't set this value, it will search by `name`.
 - `ssl_template` (O) "strong" (default) or "legacy". You can disable SSL helpers and add your own directives by setting "false".
+- `php_version` (O) Sepecify PHP version (5 or 7)
+- `http_proxy_protocol_port` (O) Enable proxy protocol on http port.
+- `https_proxy_protocol_port` (O) Enable proxy protocol on https port.
 
 (O): Optional
 (M): Mandatory
@@ -53,17 +56,17 @@ About proxy template
 
 Proxy template allow you to use Nginx as reverse proxy. Usefull when you have an application service such as Redmine, Jenkins...
 
-You have many key added to vhost key:
+You have many key added to site key:
 
 - `upstream_name`: (O) upstream name used to pass proxy
-- `proxy_params`: (M) list of raw params passed to the vhost
+- `proxy_params`: (M) list of raw params passed to the site
 
 (O) : Optional
 
-Default vhosts
+Default sites
 --------------
 
-You can manage default vhost by setting domain name to these variables.
+You can manage default site by setting domain name to these variables.
 
-- `nginx_default_vhost`
-- `nginx_default_vhost_ssl`
+- `nginx_default_site`
+- `nginx_default_site_ssl`

doc/ssl.md

@@ -32,7 +32,8 @@ Note: `name` is used to deploy key/cert. With defaults values dans `name` = "foo
 Tips
 ----
 
-Deploying key/cert is not mandatory with this role. You can manage it in other place ([letsencrypt](https://letsencrypt.org/)? :)). You just need to set `dest_cert` and `dest_key`!
+- Deploying key/cert is not mandatory with this role. You can manage it in other place ([letsencrypt](https://letsencrypt.org/)? :)). You just need to set `dest_cert` and `dest_key`!
+- In `nginx_sites`, `ssl_name` is mandatory. This role will search in `nginx_ssl_pairs` with site `name` (first in list if it's a list).
 
 Diffie-Hellman
 --------------
@@ -43,11 +44,17 @@ Example
 -------
 
 ```yaml
-nginx_vhosts;
+nginx_sites;
   - name: 'test-ssl.local'
     proto: ['http', 'https']
     template: '_base'
     ssl_name: 'mysuperkey'
+  - name: 'test-ssl2.local'
+    proto: ['http', 'https']
+    template: '_base'
+  - name: 'test-ssl3.local'
+    proto: ['http', 'https']
+    template: '_base'
 
 nginx_ssl_pairs:
   - name: mysuperkey
@@ -59,5 +66,7 @@ nginx_ssl_pairs:
       -----BEGIN CERTIFICATE-----
       ....(snip)....
       -----END CERTIFICATE-----
+  - name: test-ssl2.local
+    acme: true
 ```
 

doc/upstream.md

@@ -8,9 +8,10 @@ Note: Few params are unavailable on old Nginx version. But this role do _not_ pu
 Upstream params
 ---------------
 
-- `name`: upstream name. Can be use in vhost with *proxy_pass http://upstream_name*
+- `name`: upstream name. Can be use in site with *proxy_pass http://upstream_name*
 - `params`: list of param (hash, zone...)
 - `servers`: each upstream MUST have at least 1 server
+- `state`: Optional. Can be 'absent' or 'present'
 
 Server params
 -------------
@@ -38,4 +39,5 @@ nginx_upstreams:
         max_conns: 150
         weight: 10
         down: false
+    state: 'present'
 ```

filter_plugins/nginx.py

@@ -0,0 +1,20 @@
+def nginx_site_filename(site):
+    if site.has_key('filename'):
+        return site['filename']
+    else:
+        return nginx_site_name(site)
+
+def nginx_site_name(site):
+    if isinstance(site['name'], list):
+        return site['name'][0]
+    else:
+        return site['name']
+
+class FilterModule(object):
+    ''' Nginx module '''
+
+    def filters(self):
+        return {
+            'nginx_site_filename': nginx_site_filename,
+            'nginx_site_name': nginx_site_name
+        }

filter_plugins/php.py

@@ -0,0 +1,25 @@
+def php_default_upstream_socket(php_version):
+    if php_version == '5.6':
+        return '/run/php5-fpm.sock'
+    else:
+        return '/run/php/php%s-fpm.sock' % php_version
+
+def php_default_upstream_name(php_version):
+    return 'default_php_%s' % php_version
+
+def php_fpm_service(php_version):
+    if php_version == '5.6':
+        return 'php5-fpm'
+    else:
+        return 'php%s-fpm' % php_version
+
+class FilterModule(object):
+    ''' PHP module '''
+
+    def filters(self):
+        return {
+            'php_default_upstream_socket': php_default_upstream_socket,
+            'php_default_upstream_name': php_default_upstream_name,
+            'php_fpm_service': php_fpm_service,
+            'php_fpm_package': php_fpm_service
+        }

handlers/main.yml

@@ -1,9 +1,42 @@
 ---
 
-# Reload wrapper
 - name: reload nginx
   command: nginx -t
-  notify: real-reload nginx
+  notify:
+    - real-reload nginx
+    - docker reload nginx
+
+- name: restart nginx
+  command: nginx -t
+  notify:
+    - real-restart nginx
+    - docker restart nginx
 
 - name: real-reload nginx
-  service: name=nginx state=reloaded
+  service:
+    name: nginx
+    state: reloaded
+  when: ansible_virtualization_type != 'docker'
+
+- name: real-restart nginx
+  service:
+    name: nginx
+    state: restarted
+  when: ansible_virtualization_type != 'docker'
+
+- name: docker reload nginx
+  command: service nginx reload
+  when: ansible_virtualization_type == 'docker'
+
+- name: docker restart nginx
+  command: service nginx restart
+  when: ansible_virtualization_type == 'docker'
+
+- name: restart nginx freebsd
+  service:
+    name: nginx
+    state: restarted
+  when: ansible_distribution == "FreeBSD"
+
+- name: setup
+  action: setup

meta/main.yml

@@ -4,11 +4,10 @@ galaxy_info:
   description: Nginx for Debian
   company:
   license: GPLv2
-  min_ansible_version: 2.0
+  min_ansible_version: 2.2
   platforms:
   - name: Debian
     versions:
-    - wheezy
     - jessie
   - name: FreeBSD
     versions:

tasks/config.yml

@@ -1,21 +1,44 @@
 ---
 
 - name: TEMPLATE | Deploy nginx.conf
-  template: >
-    src=etc/nginx/nginx.conf.j2
-    dest="{{ nginx_etc_dir }}/nginx.conf"
+  template:
+    src: "etc/nginx/nginx.conf.j2"
+    dest: "{{ nginx_etc_dir }}/nginx.conf"
   notify: reload nginx
 
 - name: TEMPLATE | Deploy all helpers
-  template: >
-    src={{ item }}
-    dest={{ nginx_helper_dir }}/{{ item | basename | regex_replace('\.j2$','') }}
+  template:
+    src: "{{ item }}"
+    dest: "{{ nginx_helper_dir }}/{{ item | basename | regex_replace('.j2$','') }}"
   with_fileglob: '../templates/etc/nginx/helper/*.j2'
   notify: reload nginx
 
 - name: TEMPLATE | Deploy custom http configuration
-  template: >
-    src=etc/nginx/conf.d/custom.conf.j2
-    dest="{{ nginx_etc_dir }}/conf.d/custom.conf"
+  template:
+    src: "etc/nginx/conf.d/custom.conf.j2"
+    dest: "{{ nginx_etc_dir }}/conf.d/custom.conf"
   notify: reload nginx
 
+- name: LINEINFILE | Fix path
+  lineinfile:
+    regexp: '{{ item.0.regexp }}'
+    line: '{{ item.0.line }}'
+    dest: '{{ item.1 }}'
+  with_nested:
+    -
+      - regexp: '^fastcgi_param  SCRIPT_FILENAME'
+        line: 'fastcgi_param  SCRIPT_FILENAME    $realpath_root$fastcgi_script_name;'
+      - regexp: '^fastcgi_param  DOCUMENT_ROOT'
+        line: 'fastcgi_param  DOCUMENT_ROOT      $realpath_root;'
+    -
+      - '{{ nginx_etc_dir }}/fastcgi.conf'
+  when: nginx_fastcgi_fix_realpath
+
+- name: COPY | Add modules manually
+  copy:
+    content: |
+      {% for m in nginx_load_modules %}
+      load_module {{ m }};
+      {% endfor %}
+    dest: "{{ nginx_etc_dir }}/modules-enabled/000-modules.conf"
+  notify: reload nginx

tasks/htpasswd.yml

@@ -1,19 +1,21 @@
 ---
 
 - name: FILE | Delete htpasswd file
-  file: >
-    path={{ nginx_htpasswd_dir }}/{{ item.name }}
-    state=absent
+  file:
+    path: "{{ nginx_htpasswd_dir }}/{{ item.name }}"
+    state: absent
   with_items: "{{ nginx_htpasswd }}"
   when: item.state is defined and item.state == 'absent'
+  no_log: not nginx_debug_role
 
 - name: HTPASSWD | Manage files
-  htpasswd: >
-    name={{ item.1.name }}
-    password={{ item.1.password }}
-    state={{ item.1.state | default('present') }}
-    path={{ nginx_htpasswd_dir }}/{{ item.0.name }}
+  htpasswd:
+    name: "{{ item.1.name }}"
+    password: "{{ item.1.password }}"
+    state: "{{ item.1.state | default('present') }}"
+    path: "{{ nginx_htpasswd_dir }}/{{ item.0.name }}"
   with_subelements:
     - "{{ nginx_htpasswd }}"
     - users
   when: item.0.state is not defined or item.0.state == 'present'
+  no_log: not nginx_debug_role

tasks/install_Debian.yml

@@ -1,16 +1,67 @@
 ---
 
+- name: FAIL | Check possible issues
+  fail:
+    msg: "This ansible version ({{ ansible_version.full}}) is not compatible with your needs (Debian Stretch + htpasswd). Please see https://github.com/HanXHX/ansible-nginx/issues/28"
+  when:
+    ansible_distribution_major_version | version_compare('9', 'ge') and
+    ansible_version.full | version_compare('2.3.2', 'lt') and
+    nginx_htpasswd | length > 0
+
 - name: APT | Update cache
-  apt: >
-    update_cache=yes
-    cache_valid_time=3600
+  apt:
+    update_cache: yes
+    cache_valid_time: 3600
+  changed_when: false
+
+- name: APT | Force OpenSSL from backports (fix dependency break)
+  apt:
+    pkg: openssl
+    state: latest
+    default_release: "{{ ansible_distribution_release + '-backports' }}"
+  when: nginx_backports
 
 - name: APT | Install nginx and dependencies
-  apt: >
-    pkg={{ nginx_apt_package }}
-    state=present
-    default_release={{ ansible_distribution_release + '-backports' if nginx_backports else ansible_distribution_release }}
+  apt:
+    pkg: "{{ nginx_apt_package }}"
+    state: present
+    default_release: "{{ ansible_distribution_release + '-backports' if nginx_backports else ansible_distribution_release }}"
+
+- name: APT | Install nginx modules
+  apt:
+    pkg: "{{ item }}"
+    state: present
+  with_items: "{{ nginx_module_packages }}"
+  when:
+    ansible_distribution_major_version | version_compare('9', 'ge') or
+    nginx_backports
 
 - name: APT | Install python-passlib
-  apt: pkg=python-passlib state=present
+  apt:
+    pkg: python-passlib
+    state: present
 
+- name: STAT | Check acme.sh is installed
+  stat:
+    path: "{{ nginx_acmesh_dir }}"
+  register: acme
+
+- block:
+
+  - name: APT | Install git
+    apt:
+      pkg: git
+
+  - name: GIT | Get acme.sh
+    git:
+      repo: 'https://github.com/Neilpang/acme.sh.git'
+      dest: '{{ nginx_acmesh_git_dir }}'
+      update: no
+
+  - name: SHELL | Install acme.sh
+    shell: ./acme.sh --install --home {{ nginx_acmesh_dir }} --cert-home {{ nginx_acmesh_dir }}
+    args:
+      chdir: "{{ nginx_acmesh_git_dir }}"
+      creates: "{{ nginx_acmesh_dir }}"
+
+  when: not acme.stat.exists

tasks/install_FreeBSD.yml

@@ -1,35 +1,59 @@
 ---
 
 - name: PKGNG | Install nginx and related tools
-  pkgng: name={{ item }} state=present
+  pkgng:
+    name: "{{ item }}"
+    state: present
   with_items:
+    - acme.sh
     - "{{ nginx_pkgng_package }}"
     - py27-passlib
     - curl
 
+#
+# Bypass https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=224166#c1
+#
+- block:
+
+    - name: COMMAND | Create /usr/local/etc/fdfs/http.conf
+      command: touch /usr/local/etc/fdfs/http.conf
+      args:
+        creates: /usr/local/etc/fdfs/http.conf
+      register: fd1
+
+    - name: LINEINFILE | Tune fdfs
+      lineinfile:
+        regexp: ^load_fdfs_parameters_from_tracker
+        line: load_fdfs_parameters_from_tracker=false
+        path: /usr/local/etc/fdfs/mod_fastdfs.conf
+      register: fd2
+
+    - name: SERVICE | Restart nginx when fdfs is tuned
+      service:
+        name: nginx
+        state: restarted
+      when: fd1.changed or fd2.changed
+
+  when: true
+
 - name: FILE | Create configuration dir (like Debian)
-  file: path="{{ nginx_etc_dir }}/{{ item }}" state=directory
+  file:
+    path: "{{ nginx_etc_dir }}/{{ item }}"
+    state: directory
   with_items:
     - conf.d
     - sites-available
     - sites-enabled
 
-- name: STAT | Check fastcgi.conf
-  stat: path={{ nginx_etc_dir }}/fastcgi.conf
-  register: conf
+- name: FILE | Create log directory
+  file:
+    path: "{{ nginx_log_dir }}"
+    owner: "{{ nginx_user }}"
+    group: wheel
+    mode: 0755
+    state: directory
 
-- name: COPY | config
-  command: "cp {{ nginx_etc_dir }}/fastcgi_params {{ nginx_etc_dir }}/fastcgi.conf"
-  when: not conf.stat.exists
-  notify: reload nginx
-
-- name: LINEINFILE | Add fastcgi config
-  lineinfile: >
-    line="fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;"
-    dest="{{ nginx_etc_dir }}/fastcgi.conf"
-  notify: reload nginx
-
-- name: COPY | Populate proxy_params
-  copy: >
-    content="proxy_set_header Host $http_host;\nproxy_set_header X-Real-IP $remote_addr;\nproxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;"
-    dest="{{ nginx_etc_dir }}/proxy_params"
+- name: SERVICE | Enable nginx
+  service:
+    name: nginx
+    enabled: yes

tasks/main.yml

@@ -1,14 +1,16 @@
 ---
 
-
 - name: INCLUDE_VARS | Related to OS
   include_vars: "{{ ansible_distribution }}.yml"
+  tags: ['nginx::site', 'nginx::ssl']
 
 - name: INCLUDE | Install
-  include: install_{{ ansible_distribution }}.yml
+  include: "install_{{ ansible_distribution }}.yml"
+  tags: ['nginx::site', 'nginx::ssl']
 
 - name: INCLUDE | Prepare
   include: prepare.yml
+  tags: ['nginx::site', 'nginx::ssl']
 
 - name: INCLUDE | Install
   include: config.yml
@@ -20,8 +22,9 @@
   include: htpasswd.yml
 
 - name: INCLUDE | SSL configuration
-  include: ssl.yml
-
-- name: INCLUDE | Vhosts configuration
-  include: vhost.yml
+  include: ssl/main.yml
+  tags: ['nginx::ssl']
 
+- name: INCLUDE | Sites configuration
+  include: site.yml
+  tags: ['nginx::site']

tasks/prepare.yml

@@ -6,19 +6,29 @@
     executable: /bin/sh
   register: nginx_version
   changed_when: false
+  check_mode: no
 
 - name: SHELL | Get module list
-  shell: nginx -V 2>&1 | tr -- - '\n' | grep -A 1 with | grep _module | sed 's/_module[[:space:]]*//g' | sort
+  shell: nginx -V 2>&1 | tr -- - '\n' | grep -A 1 with | grep _module | sed -r 's/_module//g; s/\s+//g' | sort
   args:
     executable: /bin/sh
   register: shell_modules
   changed_when: false
+  check_mode: no
 
 - name: SET_FACT | Save modules
   set_fact:
     nginx_modules: "{{ shell_modules.stdout_lines }}"
 
 - name: FILE | Create folders
-  file: dest={{ item }} owner=root mode=0755 state=directory
+  file:
+    dest: "{{ item.dir }}"
+    owner: "{{ item.owner }}"
+    mode: "{{ item.mode }}"
+    state: directory
   with_items: "{{ nginx_dirs }}"
 
+- name: FILE | Create ansible facts dir
+  file:
+    path: /etc/ansible/facts.d
+    state: directory

tasks/site.yml

@@ -0,0 +1,106 @@
+---
+
+- name: FAIL | Check filenames
+  fail:
+    msg: "Forbidden keyword default on site {{ item | nginx_site_name }}"
+  when: item.filename is defined and item.filename == 'default'
+  with_items: "{{ nginx_sites }}"
+  loop_control:
+    label: "{{ item | nginx_site_name }}"
+
+- name: FAIL | Check HTTPS redir and proto
+  fail:
+    msg: "You can't have HTTP proto and HTTPS redirection at the same time"
+  when:
+    ((item.proto is defined and 'http' in item.proto) or (item.proto is not defined)) and
+    (item.redirect_http is defined and item.redirect_http)
+  with_items: "{{ nginx_sites }}"
+  loop_control:
+    label: "{{ item | nginx_site_name }}"
+
+- name: FILE | Create root directory
+  file:
+    path: "{{ nginx_root }}"
+    state: directory
+
+- name: FILE | Create root public folders (foreach nginx_sites)
+  file:
+    path: "{{ nginx_root }}/{{ item | nginx_site_filename }}/public"
+    state: directory
+    owner: "{{ item.owner | default(nginx_user) }}"
+    group: "{{ item.group | default(nginx_user) }}"
+    mode: "{{ item.mode | default('0755') }}"
+  with_items: "{{ nginx_sites }}"
+  when: >
+    item.root is not defined and
+    (item.template is defined and item.template not in nginx_templates_no_dir) and
+    (item.state is not defined or not item.state != 'absent') and
+    item.redirect_to is not defined
+  loop_control:
+    label: "{{ item | nginx_site_name }}"
+
+- name: TEMPLATE | Create sites
+  template:
+    src: "etc/nginx/sites-available/{{ item.template if item.redirect_to is not defined else '_redirect' }}.j2"
+    dest: "{{ nginx_etc_dir }}/sites-available/{{ item | nginx_site_filename }}"
+  with_items: "{{ nginx_sites }}"
+  notify: ['reload nginx', 'restart nginx freebsd']
+  when: item.state is not defined or item.state != 'absent'
+  loop_control:
+    label: "{{ item | nginx_site_name }}"
+
+- name: FILE | Delete sites
+  file:
+    path: "{{ nginx_etc_dir }}/{{ item.1 }}/{{ item.0 | nginx_site_filename }}"
+    state: absent
+  with_nested:
+    - "{{ nginx_sites }}"
+    - ['sites-available', 'sites-enabled']
+  notify: ['reload nginx', 'restart nginx freebsd']
+  when: item.0.state is defined and item.0.state == 'absent'
+  loop_control:
+    label: "{{ nginx_etc_dir }}/{{ item.1 }}/{{ item.0 | nginx_site_filename }}"
+
+- name: FILE | Enable sites
+  file:
+    src: "{{ nginx_etc_dir }}/sites-available/{{ item | nginx_site_filename }}"
+    dest: "{{ nginx_etc_dir }}/sites-enabled/{{ item | nginx_site_filename }}"
+    state: link
+  with_items: "{{ nginx_sites }}"
+  notify: ['reload nginx', 'restart nginx freebsd']
+  when: >
+    item.state is not defined or item.state == 'present'
+  loop_control:
+    label: "{{ item | nginx_site_name }}"
+
+- name: FILE | Disable sites
+  file:
+    path: "{{ nginx_etc_dir}}/sites-enabled/{{ item | nginx_site_filename }}"
+    state: absent
+  with_items: "{{ nginx_sites }}"
+  notify: ['reload nginx', 'restart nginx freebsd']
+  when: item.state is defined and item.state == 'disabled'
+  loop_control:
+    label: "{{ item | nginx_site_name }}"
+
+- name: FILE | Delete default site when explicitely defined
+  file:
+    path: "{{ nginx_etc_dir }}/sites-enabled/default"
+    state: absent
+  notify: ['reload nginx', 'restart nginx freebsd']
+  when: nginx_default_site is not none
+
+- name: FILE | Auto set default site
+  file:
+    src: "{{ nginx_etc_dir }}/sites-available/default"
+    dest: "{{ nginx_etc_dir }}/sites-enabled/default"
+    state: link
+  notify: ['reload nginx', 'restart nginx freebsd']
+  when: nginx_default_site is none
+
+- name: TEMPLATE | Deploy facts
+  template:
+    src: etc/ansible/facts.d/nginx.fact.j2
+    dest: /etc/ansible/facts.d/nginx.fact
+    mode: 0644
+  notify: ['setup']

tasks/ssl.yml

@@ -1,39 +0,0 @@
----
-
-- name: COMMAND | Generate DH file
-  command: openssl dhparam -out {{ nginx_dh_path }} {{ nginx_dh_length }}
-  args:
-    creates: "{{ nginx_dh_path }}"
-  when: nginx_dh is not string
-  notify: reload nginx
-
-- name: COPY | Deploy DH file from vars
-  copy: >
-    content="{{ nginx_dh }}"
-    dest="{{ nginx_dh_path }}"
-  when: nginx_dh is string
-  notify: reload nginx
-
-- name: FILE | Create SSL directories
-  file: >
-    path="{{ nginx_ssl_dir + '/' + item.name }}"
-    state=directory
-  with_items: "{{ nginx_ssl_pairs }}"
-  when: item.dest_key is not defined or item.dest_cert is not defined
-
-- name: COPY | Deploy SSL keys
-  copy: >
-    content="{{ item.key }}"
-    dest="{{ nginx_ssl_dir + '/' + item.name + '/' + item.name + '.key' if item.dest_key is not defined else item.dest_key }}"
-  with_items: "{{ nginx_ssl_pairs }}"
-  when: item.key is defined
-  notify: reload nginx
-
-- name: COPY | Deploy SSL certs
-  copy: >
-    content="{{ item.cert }}"
-    dest="{{ nginx_ssl_dir + '/' + item.name + '/' + item.name + '.crt' if item.dest_cert is not defined else item.dest_cert }}"
-  with_items: "{{ nginx_ssl_pairs }}"
-  when: item.cert is defined
-  notify: reload nginx
-

tasks/ssl/acme.yml

@@ -0,0 +1,63 @@
+---
+
+- name: SET_FACT | Assign default..
+  set_fact:
+    acme_create: []
+
+- name: STAT | Check if certificates are already installed
+  stat:
+    path: "{{ nginx_ssl_dir }}/{{ item | nginx_site_name }}/{{ item | nginx_site_name }}.crt"
+  with_items: "{{ nginx_ssl_pairs }}"
+  when: item.acme is defined and item.acme
+  register: acme_installed_certs
+
+- name: SET_FACT | Assign var with certificates to create
+  set_fact:
+    acme_create: "{{ acme_create | default([]) + [ (item.item | combine({'listen': ([item.item.acme_port|default(80)]) }) ) ] }}"
+  with_items: "{{ acme_installed_certs.results }}"
+  when: item.skipped is not defined and not item.stat.exists
+
+- name: TEMPLATE | Create fake site
+  template:
+    src: "etc/nginx/sites-available/_base.j2"
+    dest: "{{ nginx_etc_dir }}/conf.d/FAKESITE_{{ item | nginx_site_name }}.conf"
+  with_items: "{{ acme_create }}"
+  register: fake_site
+
+- name: SERVICE | Restart nginx
+  service:
+    name: nginx
+    state: restarted
+  when: fake_site.changed and ansible_virtualization_type != 'docker'
+
+- name: COMMAND | Restart nginx
+  command: service nginx restart
+  when: fake_site.changed and ansible_virtualization_type == 'docker'
+
+- name: SHELL | Get certificates
+  shell: '{{ nginx_acmesh_bin }} --issue{% if item.name is string %} -d {{ item.name }}{% else %}{% for name in item.name %} -d {{ name }}{% endfor %}{% endif %} --nginx {% if nginx_acmesh_test %}--test{% endif %}'
+  args:
+    creates: "/root/.acme.sh/{{ item | nginx_site_name }}/{{ item | nginx_site_name }}.key"
+  with_items: "{{ acme_create }}"
+  register: acme_get
+  failed_when: acme_get.rc != 0 and acme_get.rc != 2
+  no_log: not nginx_debug_role
+
+- name: FILE | Create SSL dir per site
+  file:
+    path: "{{ nginx_ssl_dir }}/{{ item | nginx_site_name }}"
+  with_items: "{{ acme_create }}"
+
+- name: SHELL | Install certificates
+  shell: '{{ nginx_acmesh_bin }} --install-cert -d {{ item | nginx_site_name }} --fullchain-file {{ nginx_ssl_dir }}/{{ item | nginx_site_name }}/{{ item | nginx_site_name }}.crt --key-file {{ nginx_ssl_dir }}/{{ item | nginx_site_name }}/{{ item | nginx_site_name }}.key'
+  args:
+    creates: "{{ nginx_ssl_dir }}/{{ item | nginx_site_name }}/{{ item | nginx_site_name }}.key"
+  with_items: "{{ nginx_ssl_pairs }}"
+  when: item.acme is defined and item.acme
+  notify: restart nginx
+
+- name: FILE | Delete fake sites
+  file:
+    path: "{{ nginx_etc_dir }}/conf.d/FAKESITE_{{ item | nginx_site_name }}.conf"
+    state: absent
+  with_items: "{{ acme_create }}"

tasks/ssl/main.yml

@@ -0,0 +1,8 @@
+---
+
+- name: INCLUDE | standard.yml
+  include: standard.yml
+
+- name: INCLUDE | acme.yml
+  include: acme.yml
+  when: nginx_acmesh

tasks/ssl/standard.yml

@@ -0,0 +1,53 @@
+---
+
+- name: COMMAND | Generate DH file
+  command: openssl dhparam -out {{ nginx_dh_path }} {{ nginx_dh_length }}
+  args:
+    creates: "{{ nginx_dh_path }}"
+  when: nginx_dh is not string
+  notify: restart nginx
+  async: 1000
+  register: dh
+
+- name: COPY | Deploy DH file from vars
+  copy:
+    content: "{{ nginx_dh }}"
+    dest: "{{ nginx_dh_path }}"
+  when: nginx_dh is string
+  notify: restart nginx
+
+- name: FILE | Create SSL directories
+  file:
+    path: "{{ nginx_ssl_dir + '/' + item.name }}"
+    state: directory
+  with_items: "{{ nginx_ssl_pairs }}"
+  when: item.dest_key is not defined or item.dest_cert is not defined
+  no_log: not nginx_debug_role
+
+- name: COPY | Deploy SSL keys
+  copy:
+    content: "{{ item.key }}"
+    dest: "{{ nginx_ssl_dir + '/' + item.name + '/' + item.name + '.key' if item.dest_key is not defined else item.dest_key }}"
+    mode: 0640
+  with_items: "{{ nginx_ssl_pairs }}"
+  when: item.key is defined
+  notify: restart nginx
+  no_log: not nginx_debug_role
+
+- name: COPY | Deploy SSL certs
+  copy:
+    content: "{{ item.cert }}"
+    dest: "{{ nginx_ssl_dir + '/' + item.name + '/' + item.name + '.crt' if item.dest_cert is not defined else item.dest_cert }}"
+    mode: 0644
+  with_items: "{{ nginx_ssl_pairs }}"
+  when: item.cert is defined
+  notify: restart nginx
+  no_log: not nginx_debug_role
+
+- name: Check DH command status
+  async_status:
+    jid: "{{ dh.ansible_job_id }}"
+  register: job_result
+  until: job_result.finished
+  retries: 30
+  when: not ansible_check_mode and nginx_dh is not string

tasks/upstream.yml

@@ -1,15 +1,30 @@
 ---
 
 - name: TEMPLATE | Deploy PHP upstream to Nginx
-  template: >
-    src=etc/nginx/upstream/php.conf.j2
-    dest="{{ nginx_etc_dir }}/conf.d/php.conf"
-  when: nginx_php
+  template:
+    src: "etc/nginx/conf.d/php.conf.j2"
+    dest: "{{ nginx_etc_dir }}/conf.d/php.conf"
+  when: nginx_php | length > 0
   notify: reload nginx
 
+- name: FILE | Delete PHP upstream
+  file:
+    path: "{{ nginx_etc_dir }}/conf.d/php.conf"
+    state: absent
+  when: nginx_php | length == 0
+
 - name: TEMPLATE | Deploy other upstreams
-  template: >
-    src=etc/nginx/upstream/upstream.conf.j2
-    dest={{ nginx_etc_dir }}/conf.d/upstream-{{ item.name }}.conf
+  template:
+    src: "etc/nginx/conf.d/_upstream.conf.j2"
+    dest: "{{ nginx_etc_dir }}/conf.d/upstream-{{ item.name }}.conf"
   with_items: "{{ nginx_upstreams }}"
+  when: item.state is not defined or item.state == 'present'
+  notify: reload nginx
+
+- name: FILE | Delete other upstreams
+  file:
+    path: "{{ nginx_etc_dir }}/conf.d/upstream-{{ item.name }}.conf"
+    state: absent
+  with_items: "{{ nginx_upstreams }}"
+  when: item.state is defined and item.state == 'absent'
   notify: reload nginx

tasks/vhost.yml

@@ -1,87 +0,0 @@
----
-
-- name: FAIL | Check filenames
-  fail: msg="Forbidden keyword default on vhost {{ item.name if item.name is string else item.name[0] }}"
-  when: item.filename is defined and item.filename == 'default'
-  with_items: "{{ nginx_vhosts }}"
-
-- name: FAIL | Check vhost and SSL/TLS support
-  fail: msg="Missmatch configuration for vhost {{ item.name if item.name is string else item.name[0] }}"
-  when: >
-    item.proto is defined and
-    'https' in item.proto and
-    item.ssl_name is not defined
-  with_items: "{{ nginx_vhosts }}"
-
-- name: FAIL | Check HTTPS redir and proto
-  fail: msg="You can't have HTTP proto and HTTPS redirection at the same time"
-  when: >
-    ((item.proto is defined and 'http' in item.proto) or (item.proto is not defined)) and
-    (item.redirect_http is defined and item.redirect_http)
-  with_items: "{{ nginx_vhosts }}"
-
-- name: FILE | Create root directory
-  file: >
-    path={{ nginx_root }}
-    state=directory
-
-- name: FILE | Create root public folders (foreach nginx_vhosts)
-  file: >
-    path={{ nginx_root }}/{{ item.name if item.name is string else item.name[0] }}/public
-    state=directory
-    owner={{ item.owner | default(nginx_user) }}
-    group={{ item.group | default(nginx_user) }}
-    mode={{ item.mode | default('0755') }}
-  with_items: "{{ nginx_vhosts }}"
-  when: >
-    item.root is not defined and
-    (item.template is defined and item.template not in nginx_templates_no_dir) and
-    (item.delete is not defined or not item.delete) and
-    item.redirect_to is not defined
-
-- name: TEMPLATE | Create vhosts
-  template: >
-    src=etc/nginx/sites-available/{{ item.template if item.redirect_to is not defined else '_redirect' }}.j2
-    dest={{ nginx_etc_dir }}/sites-available/{{ item.filename | default(item.name if item.name is string else item.name[0]) }}
-  with_items: "{{ nginx_vhosts }}"
-  notify: reload nginx
-  when: item.delete is not defined or not item.delete
-
-- name: FILE | Delete vhosts
-  file: path={{ nginx_etc_dir }}/sites-available/{{ item.filename | default(item.name if item.name is string else item.name[0]) }} state=absent
-  with_items: "{{ nginx_vhosts }}"
-  notify: reload nginx
-  when: item.delete is defined and item.delete
-
-- name: FILE | Enable vhosts
-  file: >
-    src={{ nginx_etc_dir }}/sites-available/{{ item.filename | default(item.name if item.name is string else item.name[0]) }}
-    dest={{ nginx_etc_dir }}/sites-enabled/{{ item.filename | default(item.name if item.name is string else item.name[0]) }}
-    state=link
-  with_items: "{{ nginx_vhosts }}"
-  notify: reload nginx
-  when: >
-    ((item.enable is not defined) or
-    (item.enable is defined and item.enable)) and
-    (item.delete is not defined or not item.delete)
-
-- name: FILE | Disable vhosts
-  file: path={{ nginx_etc_dir}}/sites-enabled/{{ item.filename | default(item.name if item.name is string else item.name[0]) }} state=absent
-  with_items: "{{ nginx_vhosts }}"
-  notify: reload nginx
-  when: (item.enable is defined and not item.enable) or (item.delete is defined and item.delete)
-
-- name: FILE | Delete default vhost when explicitely defined
-  file: >
-    path={{ nginx_etc_dir }}/sites-enabled/default
-    state=absent
-  notify: reload nginx
-  when: nginx_default_vhost is not none
-
-- name: FILE | Auto set default vhost
-  file: >
-    src={{ nginx_etc_dir }}/sites-available/default
-    dest={{ nginx_etc_dir }}/sites-enabled/default
-    state=link
-  notify: reload nginx
-  when: nginx_default_vhost is none

templates/etc/ansible/facts.d/nginx.fact.j2

@@ -0,0 +1,4 @@
+{
+       "fact_nginx_sites":
+       {{ nginx_sites | to_nice_json(indent=8) }}
+}

templates/etc/nginx/conf.d/php.conf.j2

@@ -0,0 +1,20 @@
+#
+# {{ ansible_managed }}
+#
+
+{% for php in nginx_php %}
+upstream {{ php.upstream_name | default((php.version | php_default_upstream_name)) }} {
+{% for sock in php.sockets | default([]) %}
+{% if sock.host is defined %}
+    server {{ sock.host }}:{{ sock.port }} weight={{ sock.weight | default('1') }} max_fails={{ sock.max_fails | default('5') }} fail_timeout={{ sock.fail_timeout | default('10s') }};
+{% else %}
+    server unix:{{ sock.unix | default((php.version | php_default_upstream_socket)) }} weight={{ sock.weight | default('1') }};
+{% endif %}
+{% else %}
+    server unix:{{ php.version | php_default_upstream_socket }} weight=1;
+{% endfor %}
+}
+
+{% endfor %}
+
+# vim:filetype=nginx

templates/etc/nginx/helper/ssl-legacy.j2

@@ -3,14 +3,12 @@
 #
 
 ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
-ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2{% if nginx_version.stdout | version_compare('1.13.0', 'ge') %} TLSv1.3{% endif %};
 ssl_prefer_server_ciphers on;
 ssl_session_cache shared:SSL:10m;
 add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"{% if nginx_version.stdout | version_compare('1.7.5', 'ge') %} always{% endif %};
-{% if nginx_version.stdout | version_compare('1.3.7', 'ge') %}
 ssl_stapling on;
 ssl_stapling_verify on;
-{% endif %}
 resolver {{ nginx_resolver_hosts | join(' ') }} valid={{ nginx_resolver_valid }};
 resolver_timeout {{ nginx_resolver_timeout }};
 ssl_dhparam {{ nginx_dh_path }};

templates/etc/nginx/helper/ssl-strong.j2

@@ -3,14 +3,12 @@
 #
 
 ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
-ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2{% if nginx_version.stdout | version_compare('1.13.0', 'ge') %} TLSv1.3{% endif %};
 ssl_prefer_server_ciphers on;
 ssl_session_cache shared:SSL:10m;
 add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"{% if nginx_version.stdout | version_compare('1.7.5', 'ge') %} always{% endif %};
-{% if nginx_version.stdout | version_compare('1.3.7', 'ge') %}
 ssl_stapling on;
 ssl_stapling_verify on;
-{% endif %}
 resolver {{ nginx_resolver_hosts | join(' ') }} valid={{ nginx_resolver_valid }};
 resolver_timeout {{ nginx_resolver_timeout }};
 ssl_dhparam {{ nginx_dh_path }};

templates/etc/nginx/nginx.conf.j2

@@ -5,6 +5,9 @@
 user {{ nginx_user }};
 worker_processes {{ nginx_worker_processes }};
 pid {{ nginx_pid }};
+{% if nginx_version.stdout | version_compare('1.9.11', 'ge') %}
+include {{ nginx_etc_dir }}/modules-enabled/*.conf;
+{% endif %}
 
 events {
 	worker_connections {{ nginx_events_worker_connections }};

templates/etc/nginx/sites-available/_backuppc.j2

@@ -25,7 +25,7 @@
 {% block template_upstream_location %}
 	location ~ \.cgi$ {
 		gzip off;
-		include {{ nginx_etc_dir }}/fastcgi_params;
+		include fastcgi.conf;
 		fastcgi_pass unix:/var/run/fcgiwrap.socket;
 		fastcgi_index BackupPC_Admin;
 		fastcgi_param SCRIPT_FILENAME /usr/share/backuppc/cgi-bin$fastcgi_script_name;

templates/etc/nginx/sites-available/_base.j2

@@ -1,14 +1,20 @@
 {% set __proto = item.proto | default(['http']) %}
-{% set __main_name =  item.name if item.name is string else item.name[0] %}
-{% set __listen = item.listen | default(['80']) %}
-{% set __listen_ssl = item.listen_ssl | default(['443']) %}
+{% set __main_name =  item | nginx_site_filename %}
+{% set __listen = item.listen | default([80]) %}
+{% set __listen_ssl = item.listen_ssl | default([443]) %}
+{% set __http_proxy_protocol_port = item.http_proxy_protocol_port | default([]) %}
+{% set __https_proxy_protocol_port = item.https_proxy_protocol_port | default([]) %}
 {% set __location = item.location | default({}) %}
-{% set __headers = item.headers | default({'X-Frame-Options': 'DENY always', 'X-Content-Type-Options': 'nosniff always' }) %}
+{% set __headers = item.headers | default(nginx_servers_default_headers) %}
+{% set __ssl_name = item.ssl_name | default(item.name if item.name is string else item.name[0]) %}
+{% set __location_order = item.location_order | default(__location.keys()) %}
 {% macro htpasswd(htpasswd_name, indent=1) -%}
-{% for ht in nginx_htpasswd if ht.name == htpasswd_name %}
+{%- if htpasswd_name != false %}
+{%- for ht in nginx_htpasswd if ht.name == htpasswd_name %}
 {{ "\t" * indent }}auth_basic "{{ ht.description }}";
 {{ "\t" * indent }}auth_basic_user_file {{ nginx_htpasswd_dir }}/{{ ht.name }};
-{% endfor%}
+{%- endfor %}
+{%- endif %}
 {%- endmacro %}
 {% macro ssl(ssl_name) %}
 {% for sn in nginx_ssl_pairs if sn.name == ssl_name %}
@@ -16,6 +22,18 @@
 	ssl_certificate_key {{ nginx_ssl_dir + '/' + ssl_name + '/' + ssl_name + '.key' if sn.dest_key is not defined else sn.dest_key }};
 {% endfor %}
 {%- endmacro %}
+{% macro httpsredirect(name) %}
+server {
+{% for port in __listen %}
+	listen {{ port }}{% if port | int in __http_proxy_protocol_port %} proxy_protocol{% endif %};
+{% endfor %}
+	server_name {{ name }};
+	location / {
+		return 301 https://{{ name }}{% if '443' not in __listen_ssl and 443 not in __listen_ssl %}:{{ __listen_ssl[0] }}{% endif %}$request_uri;
+	}
+}
+{% endmacro %}
+
 #
 # {{ ansible_managed }}
 #
@@ -26,19 +44,19 @@
 server {
 {% if 'http' in __proto %}
 {% for port in __listen %}
-	listen {{ port }}{% if nginx_default_vhost == __main_name %} default_server{% endif %};
+	listen {{ port }}{% if nginx_default_site == __main_name %} default_server{% endif %}{% if port | int in __http_proxy_protocol_port %} proxy_protocol{% endif %};
 {% endfor %}
 {% endif %}
 {% if 'https' in __proto %}
 {% for port in __listen_ssl %}
-	listen {{ port }}{% if nginx_default_vhost_ssl == __main_name %} default_server{% endif %} ssl{% if nginx_auto_config_httpv2 and 'http_v2' in nginx_modules %} http2{% endif %};
+	listen {{ port }}{% if nginx_default_site_ssl == __main_name %} default_server{% endif %} ssl{% if nginx_auto_config_httpv2 and 'http_v2' in nginx_modules %} http2{% endif %}{% if port | int in __https_proxy_protocol_port %} proxy_protocol{% endif %};
 {% endfor %}
-{{ ssl(item.ssl_name) }}
+{{ ssl(__ssl_name) }}
 {% if item.ssl_template is not defined or item.ssl_template != false %}
 	include {{ nginx_helper_dir + '/ssl-' + item.ssl_template | default('strong') }};
 {% endif %}
 {% endif %}
-	server_name {% if item.name is string %}{{ item.name }}{% else %}{{ item.name | join(' ') }}{% endif %};
+	server_name {% if item.name is string %}{{ item.name }}{% else %}{{ "\n\t\t"  }}{{ item.name | join("\n\t\t") }}{% endif %};
 {% block root %}
 {% if item.root is defined %}
 	root {{ item.root }};
@@ -50,11 +68,13 @@ server {
 	index {{ item.index | default('index.html index.htm') }};
 {% endblock %}
 
+{% block template_more %}
 {% if item.more is defined and item.more is iterable %}
 {% for line in item.more %}
 	{{ line }}
 {% endfor %}
 {% endif %}
+{% endblock %}
 
 {% if item.htpasswd is defined %}
 {{ htpasswd(item.htpasswd, 1) }}
@@ -63,7 +83,7 @@ server {
 {% block template_headers %}
 	# --> Custom headers
 {% for key, value in __headers.iteritems() %}
-	add_header {{ key }} {{ value | replace(' always', '') }}{% if nginx_version.stdout | version_compare('1.7.5', 'ge') and ' always' in value %} always{% endif %};
+	add_header {{ key }} "{{ value | replace(' always', '') }}"{% if nginx_version.stdout | version_compare('1.7.5', 'ge') and ' always' in value %} always{% endif %};
 {% endfor %}
 	# <-- Custom headers
 {% endblock %}
@@ -81,6 +101,20 @@ server {
 {% block template_custom_location %}
 {% endblock %}
 
+{% if __location_order | length > 0 %}
+	# --> Custom locations
+{% for location in __location_order %}
+	location {{ location }} {
+{% set opts = __location[location] %}
+{% for opt in opts %}
+{% if opt.htpasswd is defined %}{{ htpasswd(opt.htpasswd, 2) }}{% else %}
+		{{ opt }}
+{% endif %}
+{% endfor  %}
+	}
+{% endfor %}	# <-- Custom locations
+{% endif %}
+
 {% block template_local_content %}
 {% if item.manage_local_content is not defined or item.manage_local_content %}
 	location ~ /\.ht {
@@ -100,19 +134,6 @@ server {
 {% endif %}
 {% endblock %}
 
-{% if __location is iterable and __location | length > 0 %}
-	# --> Custom locations
-{% for location, opts in __location.iteritems() %}
-	location {{ location }} {
-{% for opt in opts %}
-{% if opt.htpasswd is defined %}{{ htpasswd(opt.htpasswd, 2) }}{% else %}
-		{{ opt }}
-{% endif %}
-{% endfor  %}
-	}
-{% endfor %}	# <-- Custom locations
-{% endif %}
-
 {% if item.use_access_log is defined %}
 {% if item.use_access_log %}
 	access_log {{ nginx_log_dir }}/{{ __main_name }}_access.log combined;
@@ -133,15 +154,14 @@ server {
 #
 # Redirect HTTP to HTTPS
 #
-server {
-{% for port in __listen %}
-	listen {{ port }};
+{% if item.name is string %}
+{{ httpsredirect(item.name) }}
+{% else %}
+{% for i in item.name %}
+{{ httpsredirect(i) }}
 {% endfor %}
-	server_name {% if item.name is string %}{{ item.name }}{% else %}{{ item.name | join(' ') }}{% endif %};
-	return 301 https://{{ __main_name }}{% if '443' not in __listen_ssl %}:__listen_ssl[0]{% endif %}$request_uri;
-}
 {% endif %}
-
+{% endif %}
 
 {% if item.redirect_from is defined and item.redirect_from is iterable %}
 #
@@ -149,11 +169,30 @@ server {
 #
 server {
 {% for port in __listen %}
-	listen {{ port }};
+	listen {{ port }}{% if port | int in __http_proxy_protocol_port %} proxy_protocol{% endif %};
 {% endfor %}
-	server_name {{ item.redirect_from | join(' ') }};
-	return 301 $scheme://{{ __main_name }}$request_uri;
+	server_name {% if item.redirect_from is string %}{{ item.redirect_from }}{% else %}{{ "\n\t\t" }}{{ item.redirect_from | join("\n\t\t") }}{% endif %};
+	location / {
+		return 301 $scheme://{{ item.name if item.name is string else item.name[0] }}$request_uri;
+	}
+}
+
+{% if 'https' in __proto %}
+server {
+{% for port in __listen_ssl %}
+	listen {{ port }}{% if nginx_default_site_ssl == __main_name %} default_server{% endif %} ssl{% if nginx_auto_config_httpv2 and 'http_v2' in nginx_modules %} http2{% endif %}{% if port | int in __https_proxy_protocol_port %} proxy_protocol{% endif %};
+{% endfor %}
+{{ ssl(__ssl_name) }}
+{% if item.ssl_template is not defined or item.ssl_template != false %}
+	include {{ nginx_helper_dir + '/ssl-' + item.ssl_template | default('strong') }};
+{% endif %}
+	server_name {% if item.redirect_from is string %}{{ item.redirect_from }}{% else %}{{ "\n\t\t" }}{{ item.redirect_from | join("\n\t\t") }}{% endif %};
+	location / {
+		return 301 https://{{ item.name if item.name is string else item.name[0] }}{% if '443' not in __listen_ssl and 443 not in __listen_ssl %}:{{ __listen_ssl[0] }}{% endif %}$request_uri;
+	}
 }
 {% endif %}
 
+{% endif %}
+
 # vim:filetype=nginx

templates/etc/nginx/sites-available/_nagios3.j2

@@ -1,4 +1,4 @@
-{% extends "_base.j2" %}
+{% extends "_php.j2" %}
 
 {% block root %}
 	root {{ nginx_nagios_root }};
@@ -16,9 +16,9 @@
 {% for key, value in __headers.iteritems() %}
 {% if key == "X-Frame-Options" %}
 	# X-Frame-Options forced by Ansible
-	add_header {{ key }} SAMEORIGIN{% if nginx_version.stdout | version_compare('1.7.5', 'ge') %} always{% endif %};
+	add_header {{ key }} "SAMEORIGIN"{% if nginx_version.stdout | version_compare('1.7.5', 'ge') %} always{% endif %};
 {% else %}
-	add_header {{ key }} {{ value | replace(' always', '') }}{% if nginx_version.stdout | version_compare('1.7.5', 'ge') and ' always' in value %} always{% endif %};
+	add_header {{ key }} "{{ value | replace(' always', '') }}"{% if nginx_version.stdout | version_compare('1.7.5', 'ge') and ' always' in value %} always{% endif %};
 {% endif %}
 {% endfor %}
 	# <-- Custom headers
@@ -46,22 +46,14 @@
 	location /cgi-bin {
 {% endif %}
 		try_files $uri =404;
-{% if nginx_version.stdout | version_compare('1.6.1', 'lt') %}
-		include fastcgi_params;
-{% else %}
 		include fastcgi.conf;
-{% endif %}
 		fastcgi_pass unix:{{ nginx_fcgiwrap_sock }};
 		fastcgi_param AUTH_USER $remote_user;
 		fastcgi_param REMOTE_USER $remote_user;
 	}
 	location ~ \.php$ {
-		fastcgi_pass php;
+		fastcgi_pass {{ php_upstream }};
 		fastcgi_index index.php;
-{% if nginx_version.stdout | version_compare('1.6.1', 'lt') %}
-		include fastcgi_params;
-{% else %}
 		include fastcgi.conf;
-{% endif %}
 	}
 {% endblock %}

templates/etc/nginx/sites-available/_php.j2

@@ -1,25 +1,34 @@
 {% extends "_base.j2" %}
+
+{% if item.php_version is defined %}
+{% set php_info = 'Explicit PHP version on site' %}
+{% set php_upstream = (nginx_php|selectattr('version', 'equalto', item.php_version)|first).upstream_name | default(item.php_version | php_default_upstream_name) %}
+{% elif item.php_upstream is defined %}
+{% set php_info = 'Explicit Nginx/PHP upstream on site' %}
+{% set php_upstream = item.php_upstream %}
+{% else %}
+{% set php_info = 'Warning: using first PHP version on config' %}
+{% set php_upstream = nginx_php.0.upstream_name | default(nginx_php.0.version | php_default_upstream_name) %}
+{% endif %}
+
 {% block template_index %}
 	index {{ item.index | default('index.html index.htm index.php') }};
 {% endblock %}
 
 {% block template_try_files %}
-		try_files {{ override_try_files | default('$uri $uri/ /index.php') }};
+		try_files {{ override_try_files | default('$uri $uri/ =404') }};
 {% endblock %}
 
 {% block template_upstream_location %}
 	location ~ \.php$ {
-		fastcgi_pass php;
+		# {{ php_info }}
+		fastcgi_pass {{ php_upstream }};
 		fastcgi_index index.php;
 {% if item.upstream_params is defined and item.upstream_params is iterable %}
 {% for param in item.upstream_params %}
 		{{ param }}
 {% endfor %}
 {% endif %}
-{% if nginx_version.stdout | version_compare('1.6.1', 'lt') %}
-		include fastcgi_params;
-{% else %}
 		include fastcgi.conf;
-{% endif %}
 	}
 {% endblock %}

templates/etc/nginx/sites-available/_php_index.j2

@@ -2,18 +2,15 @@
 
 {% block template_upstream_location %}
 	location = /index.php {
-		fastcgi_pass php;
+		# {{ php_info }}
+		fastcgi_pass {{ php_upstream }};
 		fastcgi_index index.php;
 {% if item.upstream_params is defined and item.upstream_params is iterable %}
 {% for param in item.upstream_params %}
 		{{ param }}
 {% endfor %}
 {% endif %}
-{% if nginx_version.stdout | version_compare('1.6.1', 'lt') %}
-		include fastcgi_params;
-{% else %}
 		include fastcgi.conf;
-{% endif %}
 	}
 {% endblock %}
 

templates/etc/nginx/sites-available/_php_index2.j2

@@ -0,0 +1,19 @@
+{% extends "_php.j2" %}
+
+{% block template_try_files %}
+		try_files {{ override_try_files | default('$uri $uri/ /index.php') }};
+{% endblock %}
+
+{% block template_upstream_location %}
+	location = /index.php {
+		# {{ php_info }}
+		fastcgi_pass {{ php_upstream }};
+		fastcgi_index index.php;
+{% if item.upstream_params is defined and item.upstream_params is iterable %}
+{% for param in item.upstream_params %}
+		{{ param }}
+{% endfor %}
+{% endif %}
+		include fastcgi.conf;
+	}
+{% endblock %}

templates/etc/nginx/sites-available/_wordpress.j2

@@ -3,3 +3,9 @@
 {% block template_try_files %}
 	try_files $uri $uri/ /index.php?$args;
 {% endblock %}
+
+{% block template_custom_location %}
+	location ~* /(?:uploads|files)/.*\.php$ {
+		deny all;
+	}
+{% endblock %}

templates/etc/nginx/upstream/php.conf.j2

@@ -1,15 +0,0 @@
-#
-# {{ ansible_managed }}
-#
-
-upstream php {
-{% for item in nginx_php_sockets %}
-{% if item.unix_socket is defined %}
-	server unix:{{ item.unix_socket }} weight={{ item.weight | default('1') }};
-{% else %}
-	server {{ item.host }}:{{ item.port }} weight={{ item.weight | default('1') }} max_fails={{ item.max_fails | default('5') }} fail_timeout={{ item.fail_timeout | default('10s') }};
-{% endif %}
-{% endfor %}
-}
-
-# vim:filetype=nginx

tests/debian-jessie.Dockerfile

@@ -1,4 +0,0 @@
-FROM williamyeh/ansible:debian8-onbuild
-
-RUN apt-get update
-CMD ["sh", "tests/test.sh"]

tests/debian-wheezy.Dockerfile

@@ -1,4 +0,0 @@
-FROM williamyeh/ansible:debian7-onbuild
-
-RUN apt-get update
-CMD ["sh", "tests/test.sh"]

tests/includes/post_Debian.yml

@@ -1,10 +1,20 @@
 ---
 
-- name: APT | Install web apps
-  apt: pkg={{ item }} state=present
+- name: APT | Install webapps
+  apt:
+    pkg: "{{ item }}"
+    state: present
+    install_recommends: no
   with_items:
-    - nagios3
     - backuppc
 
+- name: APT | Install nagios3 (only on old Debian releases)
+  apt:
+    pkg: nagios3
+    state: present
+  when: ansible_distribution_major_version | version_compare('9', 'lt')
+
 - name: SERVICE | Ensure backuppc is started
-  service: name=backuppc state=started
+  service:
+    name: backuppc
+    state: started

tests/includes/post_FreeBSD.yml

@@ -1,28 +1,30 @@
 ---
 
-- name: APT | Install web apps
-  pkgng: pkg={{ item }} state=present
-  with_items:
-    - nagios
-    - backuppc
-
-- name: COMMAND | Activate backuppc config
-  command: >
-    cp /usr/local/etc/backuppc/config.pl.sample /usr/local/etc/backuppc/config.pl
-    creates=/usr/local/etc/backuppc/config.pl
-
-- name: FILE | Fix backuppc permissions
-  file: >
-    path=/usr/local/etc/backuppc/config.pl
-    owner=backuppc
-    group=backuppc
-
-- name: FILE | Fix fcgiwrap permission
-  file: >
-    path={{ nginx_fcgiwrap_sock }}
-    mode=0640
-    owner={{ nginx_user }}
-    group={{ nginx_user }}
+#- name: APT | Install web apps
+#  pkgng:
+#    pkg: "{{ item }}"
+#    state: present
+#  with_items:
+#    - nagios
+#    - backuppc
+#
+#- name: COMMAND | Activate backuppc config
+#  command: >
+#    cp /usr/local/etc/backuppc/config.pl.sample /usr/local/etc/backuppc/config.pl
+#    creates=/usr/local/etc/backuppc/config.pl
+#
+#- name: FILE | Fix backuppc permissions
+#  file:
+#    path: /usr/local/etc/backuppc/config.pl
+#    owner: backuppc
+#    group: backuppc
+#
+#- name: FILE | Fix fcgiwrap permission
+#  file:
+#    path: "{{ nginx_fcgiwrap_sock }}"
+#    mode: 0640
+#    owner: "{{ nginx_user }}"
+#    group: "{{ nginx_user }}"
 
 #
 # We don't manage BackupPC on FreeBSD... too dirty. :/

tests/includes/pre_Debian.yml

@@ -1,22 +1,99 @@
 ---
 
 - name: APT_REPOSITORY | Install backports
-  apt_repository: repo='deb http://httpredir.debian.org/debian {{ ansible_distribution_release }}-backports main' state=present
+  apt_repository:
+    repo: 'deb http://httpredir.debian.org/debian {{ ansible_distribution_release }}-backports main'
+    state: present
+  when: nginx_backports
+
+- block:
+
+  - name: APT | Install DotDeb key
+    apt_key:
+      url: 'http://www.dotdeb.org/dotdeb.gpg'
+      state: present
+
+  - name: APT_REPOSITORY | Install dotdeb (PHP 7)
+    apt_repository:
+      repo: 'deb http://packages.dotdeb.org {{ ansible_distribution_release }} all'
+      state: present
+
+  - name: LINEFILEFILE | Dotdeb priority (prevent install nginx from dotdeb)
+    copy:
+      content: "Package: *\nPin: release o=packages.dotdeb.org\nPin-Priority: 100"
+      dest: /etc/apt/preferences
+
+  when: ansible_distribution_release == 'jessie' and dotdeb | default(false)
+
+- block:
+
+  - name: APT | Install apt-transport-https
+    apt:
+      pkg: apt-transport-https
+      update_cache: yes
+      cache_valid_time: 3600
+
+  - name: APT_KEY | Install GPG key
+    apt_key:
+      url: 'https://packages.sury.org/php/apt.gpg'
+
+  - name: APT_REPOSITORY | Add APT repository
+    apt_repository:
+      repo: 'deb https://packages.sury.org/php {{ ansible_distribution_release }} main'
+
+  when: sury | default(false)
 
 - name: APT | Install needed packages
-  apt: pkg={{ item }} update_cache=yes cache_valid_time=3600 state=present
+  apt:
+    pkg: "{{ item }}"
+    update_cache: yes
+    cache_valid_time: 3600
+    state: present
   with_items:
-    - php5-fpm
+    - cron
     - curl
     - fcgiwrap
+    - jq
+    - nghttp2
+    - strace
+    - vim
+    - unzip
 
-- name: APT | Install nghttp2
-  apt: pkg=nghttp2 state=present
-  when: ansible_distribution_major_version | version_compare(8, 'ge')
+- name: APT | Install daemonize from Stretch
+  apt:
+    deb: http://ftp.us.debian.org/debian/pool/main/d/daemonize/daemonize_1.7.7-1+b1_amd64.deb
 
-- name: SERVICE | Force start services
-  service: name={{ item }} state=started
-  register: sf
-  with_items:
-    - php5-fpm
-    - fcgiwrap
+- name: APT | Install PHP
+  apt:
+    pkg: "{{ item.version | php_fpm_package }}"
+    update_cache: yes
+    cache_valid_time: 3600
+    state: present
+  with_items: "{{ nginx_php }}"
+  register: apt_php
+
+- name: SERVICE | Force start fcgiwrap
+  service:
+    name: "fcgiwrap"
+    state: started
+
+# Bypasses Ansible 2.4 issue (cannot use service module)... With service module... php is not really started!
+- name: COMMAND | Force start PHP
+  command: "service {{ item.version | php_fpm_service }} start"
+  with_items: "{{ nginx_php }}"
+  when: apt_php.changed
+
+- name: GET_URL | Download ngrok
+  get_url:
+    url: "https://bin.equinox.io/c/4VmDzA7iaHb/ngrok-stable-linux-amd64.zip"
+    dest: "/tmp/ngrok.zip"
+
+- name: UNARCHIVE | Uncompress ngrok
+  unarchive:
+    src: "/tmp/ngrok.zip"
+    dest: "/tmp"
+    remote_src: yes
+
+- name: SET_FACT | ngrok_path
+  set_fact:
+    ngrok_path: '/tmp/ngrok'

tests/includes/pre_FreeBSD.yml

@@ -2,23 +2,64 @@
 
 - name: SET_FACT | FreeBSD web user
   set_fact:
-    nginx_pkgng_package: 'nginx-devel'
+    nginx_pkgng_package: 'nginx-full'
     nginx_user: 'www'
-    nginx_php_sockets:
+    nginx_php:
+      - version: '7.2'
+        sockets:
           - host: '127.0.0.1'
             port: 9000
+    nginx_load_modules:
+      - /usr/local/libexec/nginx/ngx_http_geoip_module.so
+    ngrok_path: '/usr/local/bin/ngrok'
 
 - name: PKGNG | Install needed packages
-  pkgng: pkg={{ item }} state=present
+  pkgng:
+    pkg: "{{ item }}"
+    state: present
   with_items:
-    - php56
     - curl
+    - daemonize
     - fcgiwrap
+    - GeoIP
+    - jq
     - nghttp2
+    - php72
+    - vim
+
+- name: COMMAND | Get geoip database
+  command: geoipupdate.sh
+  args:
+    creates: /usr/local/share/GeoIP/GeoIP.dat
 
 - name: SERVICE | Force start services
-  service: name={{ item }} state=started enabled=yes
+  service:
+    name: "{{ item }}"
+    state: started
+    enabled: yes
   register: sf
   with_items:
     - php-fpm
     - fcgiwrap
+
+- name: STAT | Check ports
+  stat:
+    path: /usr/ports
+  register: ports
+
+- block:
+
+    - name: COMMAND | Get ports
+      command: portsnap fetch --interactive
+
+    - name: COMMAND | Extract ports
+      command: portsnap extract
+      no_log: true
+
+  when: not ports.stat.exists
+
+- name: SHELL | Install ngrok
+  shell: make install clean DISABLE_LICENSES=yes
+  args:
+    chdir: /usr/ports/security/ngrok
+    creates: "{{ ngrok_path }}"

tests/includes/pre_common.yml

@@ -0,0 +1,18 @@
+---
+
+- name: SHELL | Start ngrok
+  shell: daemonize -l /tmp/ngrok.lock {{ ngrok_path }} http 8888 -bind-tls=false
+  failed_when: false
+  changed_when: ngrok.stderr.find("Can't lock the lock file") == -1
+  register: ngrok
+
+- name: WAIT_FOR | ngrok started
+  wait_for:
+    delay: 2
+    port: 4040
+  when: ngrok.changed
+
+- name: SHELL | Get ngrok public address
+  shell: curl 'http://127.0.0.1:4040/api/tunnels/command_line' | jq '.public_url' | grep -oE '[[:alnum:]]+\.ngrok\.io'
+  register: ngrok
+  changed_when: false

tests/inventory

@@ -1 +0,0 @@
-localhost

tests/test.sh

@@ -1,21 +0,0 @@
-#!/bin/sh
-
-# Thanks to https://servercheck.in/blog/testing-ansible-roles-travis-ci-github
-
-DIR=$( dirname $0 )
-INVENTORY_FILE="$DIR/inventory"
-PLAYBOOK="$DIR/test.yml"
-
-set -ev
-
-# Check syntax
-ansible-playbook -i $INVENTORY_FILE -c local --syntax-check -vv $PLAYBOOK
-
-# Check role
-ansible-playbook -i $INVENTORY_FILE -c local --sudo -vv $PLAYBOOK
-
-# Check indempotence
-ansible-playbook -i $INVENTORY_FILE -c local --sudo -vv $PLAYBOOK \
-| grep -q 'changed=0.*failed=0' \
-&& (echo 'Idempotence test: pass' && exit 0) \
-|| (echo 'Idempotence test: fail' && exit 1)

tests/test.yml

@@ -4,19 +4,39 @@
   pre_tasks:
     - name: INCLUDE | Pre_tasks related to OS version
       include: "includes/pre_{{ ansible_distribution }}.yml"
+
+    - name: INCLUDE | Pre_tasks common
+      include: "includes/pre_common.yml"
+
     - name: FILE | Create an internal SSL dir
-      file: path={{ int_ansible_ssl_dir }} state=directory
+      file:
+        path: "{{ int_ansible_ssl_dir }}"
+        state: directory
+
     - name: COPY | Deploy test certificate
-      copy: src=file/test.crt dest={{ int_ansible_ssl_dir }}/test.crt
+      copy:
+        src: "file/test.crt"
+        dest: "{{ int_ansible_ssl_dir }}/test.crt"
+
     - name: COPY | Deploy test key
-      copy: src=file/test.key dest={{ int_ansible_ssl_dir }}/test.key
+      copy:
+        src: "file/test.key"
+        dest: "{{ int_ansible_ssl_dir }}/test.key"
+
+    - name: LINEINFILE | Add all hosts in /etc/hosts
+      lineinfile:
+        line: "127.0.0.1\tlocalhost {% for s in nginx_sites %}{% if s.name is string %}{{ s.name }}{% else %}{% for n in s.name %}{{ n }} {% endfor %}{% endif %} {% if s.redirect_from is defined %}{% for rf in s.redirect_from %}{{ rf }} {% endfor %}{% endif %}{% endfor %}"
+        regexp: '^127\.0\.0\.1'
+        dest: "/etc/hosts"
+        unsafe_writes: yes
+
   vars:
 # Internal vars
     int_ansible_ssl_dir: '/etc/ansible-ssl'
 # Role vars
     nginx_worker_processes: 1 # Ansible+FreeBSD can't detect CPU number
-    nginx_backports: true
-    nginx_php: true
+    nginx_apt_package: 'nginx-extras'
+    nginx_module_packages: ['libnginx-mod-http-headers-more-filter']
     nginx_upstreams:
       - name: 'test'
         servers:
@@ -24,6 +44,13 @@
             max_conns: 150
             weight: 10
             down: false
+      - name: 'test-absent'
+        servers:
+          - path: '127.0.0.1:80'
+            max_conns: 150
+            weight: 10
+            down: false
+        state: 'absent'
     nginx_htpasswd:
       - name: 'hello'
         description: 'Please login!'
@@ -42,7 +69,12 @@
         description: 'Please login!'
         users: []
         state: 'absent'
+    nginx_acmesh: true
+    nginx_acmesh_test: true
     nginx_ssl_pairs:
+      - name: '{{ ngrok.stdout }}'
+        acme: true
+        acme_port: 8888
       - name: 'test-ssl-predeployed.local'
         dest_key: "{{ int_ansible_ssl_dir }}/test.key"
         dest_cert: "{{ int_ansible_ssl_dir }}/test.crt"
@@ -97,9 +129,16 @@
           -----END CERTIFICATE-----
     nginx_custom_http:
       - 'add_header X-ansible 1;'
-    nginx_default_vhost: 'test.local'
-    nginx_default_vhost_ssl: 'test-ssl-predeployed.local'
-    nginx_vhosts:
+      - 'geoip_country {% if ansible_distribution == "Debian" %}/usr/share/GeoIP/GeoIP.dat{% else %}/usr/local/share/GeoIP/GeoIP.dat{% endif %};'
+      - 'map $geoip_country_code $allowed_country {'
+      - '    default yes;'
+      - '    MA no;'
+      - '    DZ no;'
+      - '    TN no;'
+      - '}'
+    nginx_default_site: 'first-test'
+    nginx_default_site_ssl: 'test-ssl-predeployed.local'
+    nginx_sites:
       - name:
           - 'test.local'
           - 'test-alias.local'
@@ -111,7 +150,7 @@
           'X-Frame-Options': 'deny always'
           'X-ansible-default': '1'
         manage_local_content: false
-        use_error_log: false
+        use_error_log: true
         more:
           - 'autoindex off;'
         location:
@@ -129,6 +168,9 @@
         location:
           '/hello':
             - htpasswd: 'hello'
+          '/public':
+            - htpasswd: false
+        use_error_log: true
       - name: 'test-htpasswd-all.local'
         template: '_base'
         htpasswd: 'hello'
@@ -137,7 +179,19 @@
         location:
           '/':
             - 'alias /var/tmp;'
+          '/a':
+            - 'alias /var/tmp;'
+          '/b':
+            - 'alias /var/tmp;'
+          '/c':
+            - 'alias /var/tmp;'
+        location_order:
+          - '/'
+          - '/a'
+          - '/b'
+          - '/c'
       - name: 'test-php.local'
+        php_version: "{{ nginx_php.1.version if nginx_php.1 is defined else nginx_php.0.version }}"
         upstream_params:
           - 'fastcgi_param FOO bar;'
         redirect_from:
@@ -147,6 +201,8 @@
         use_access_log: true
       - name: 'test-php-index.local'
         template: '_php_index'
+      - name: 'test-php-index2.local'
+        template: '_php_index2'
       - name: 'test-proxy.local'
         listen:
           - 8080
@@ -155,7 +211,7 @@
         headers:
           'X-proxyfied': '1'
       - name: 'deleted.local'
-        delete: true
+        state: 'absent'
       - name: 'redirect-to.local'
         redirect_to: 'http://test.local'
       - name: 'backuppc.local'
@@ -167,7 +223,6 @@
       - name: 'test-ssl.local'
         proto: ['http', 'https']
         template: '_base'
-        ssl_name: 'test-ssl.local'
       - name: 'test-ssl-predeployed.local'
         proto: ['http', 'https']
         template: '_base'
@@ -180,6 +235,31 @@
         template: '_base'
         ssl_name: 'test-ssl.local'
         redirect_https: true
+      - name:
+          - 'test-ssl-redirect-many.local'
+          - 'test-ssl-redirect-many2.local'
+        listen_ssl: [8443]
+        proto: ['https']
+        template: '_base'
+        ssl_name: 'test-ssl.local'
+        redirect_https: true
+        redirect_from:
+          - 'www.test-ssl-redirect-many.local'
+          - 'www.test-ssl-redirect-many2.local'
+      - name: 'test-ssl-proxy-protocol.local'
+        proto: ['http', 'https']
+        listen: [80, 20080]
+        listen_ssl: [443, 20443]
+        http_proxy_protocol_port: [20080]
+        https_proxy_protocol_port: [20443]
+        template: '_base'
+        ssl_name: 'test-ssl.local'
+      - name: '{{ ngrok.stdout }}'
+        proto: ['http', 'https']
+        template: '_base'
+        ssl_name: '{{ ngrok.stdout }}'
+        headers:
+          'X-acme': '1'
     nginx_dh_length: 1024
   roles:
     - ../../
@@ -189,158 +269,260 @@
 # --------------------------------
     - name: INCLUDE | Post_tasks related to OS version
       include: "includes/post_{{ ansible_distribution }}.yml"
+
 # --------------------------------
 # Deploy index files
 # --------------------------------
     - name: -- Add PHP file --
-      copy: dest="{{ nginx_root }}/{{ item }}/public/index.php" content="<?php phpinfo();"
-      with_items: ['test-php.local', 'test-php-index.local']
+      copy:
+        dest: "{{ nginx_root }}/{{ item }}/public/index.php"
+        content: "<?php phpinfo();"
+      with_items:
+        - 'test-php.local'
+        - 'test-php-index.local'
+        - 'test-php-index2.local'
+
     - name: -- Add HTML file --
-      copy: dest="{{ item }}/index.html" content="Index HTML test OK\n"
-      with_items: ['{{ nginx_root }}/test.local/public', '/var/tmp', '{{ nginx_root }}/test-htpasswd-all.local/public', '{{ nginx_root }}/test-ssl.local/public', '{{ nginx_root }}/test-ssl-predeployed.local/public']
+      copy:
+        dest: "{{ item }}/index.html"
+        content: "Index HTML test OK\n"
+      with_items:
+        - '{{ nginx_root }}/first-test/public'
+        - '/var/tmp'
+        - '{{ nginx_root }}/test-htpasswd-all.local/public'
+        - '{{ nginx_root }}/test-ssl.local/public'
+        - '{{ nginx_root }}/test-ssl-predeployed.local/public'
+        - '{{ nginx_root }}/test-ssl-proxy-protocol.local/public'
+        - '{{ nginx_root }}/{{ ngrok.stdout }}/public'
+
     - name: -- Create directory --
-      file: path={{ nginx_root }}/test-htpasswd.local/public/hello state=directory
+      file:
+        path: "{{ nginx_root }}/test-htpasswd.local/public/hello"
+        state: directory
+
     - name: -- Add HTML file hello --
-      copy: dest="{{ nginx_root }}/test-htpasswd.local/public/hello/index.html" content="hello\n"
+      copy:
+        dest: "{{ nginx_root }}/test-htpasswd.local/public/hello/index.html"
+        content: "hello\n"
+
 # --------------------------------
-# Simple vhosts tests
+# Test custom facts
 # --------------------------------
-    - name: -- VERIFY VHOSTS --
-      command: "curl -H 'Host: {{ item.name if item.name is string else item.name[0] }}' http://127.0.0.1{% if item.listen is defined %}:{{ item.listen[0] }}{% endif %}/"
-      with_items: "{{ nginx_vhosts }}"
-      when: item.delete is undefined or not item.delete
+    - name: -- CHECK FACTS --
+      assert:
+        that: "'{{ ansible_local.nginx.fact_nginx_sites[0].name[0] }}' == 'test.local'"
+# --------------------------------
+# Simple sites tests
+# --------------------------------
+    - name: -- VERIFY SITES --
+      uri:
+        url: "http://{{ item | nginx_site_name }}{% if item.listen is defined %}:{{ item.listen[0] }}{% endif %}/"
+        status_code: '200,301,302,401,403'
+        follow_redirects: none
+      with_items: "{{ nginx_sites }}"
+      when: item.state is undefined or item.state != "absent"
       changed_when: false
+
     - name: -- VERIFY FORBIDDEN --
-      command: "curl -H 'Host: test-php-index.local' http://127.0.0.1/phpinfo.php"
-      register: f
-      failed_when: f.stdout.find('403 Forbidden') == -1
+      uri:
+        url: "http://test-php-index.local/phpinfo.php"
+        status_code: 403
+
+    - name: -- VERIFY REDIRECT SITES --
+      uri:
+        url: "http://{{ item.redirect_from[0] }}/"
+        status_code: 301
+        follow_redirects: none
+      with_items: "{{ nginx_sites }}"
+      when: item.redirect_from is defined and (item.state is undefined or item.state != "absent") and (item.proto is not defined or 'https' not in item.proto)
       changed_when: false
-    - name: -- VERIFY REDIRECT VHOSTS --
-      command: "curl -H 'Host: {{ item.redirect_from[0] }}' http://127.0.0.1/"
-      with_items: "{{ nginx_vhosts }}"
-      when: item.redirect_from is defined and (item.delete is undefined or not item.delete)
+
+    - name: -- VERIFY REDIRECT HTTPS SITES --
+      uri:
+        url: "https://{{ item.redirect_from[0] }}:{{ item.listen_ssl[0] | default(443) }}/"
+        status_code: 301
+        follow_redirects: none
+        validate_certs: no
+      with_items: "{{ nginx_sites }}"
+      when: item.redirect_from is defined and (item.state is undefined or item.state != "absent") and item.proto is defined and 'https' in item.proto
       changed_when: false
-      register: r
-      failed_when: r.stdout.find('301 Moved Permanently') == -1
 
 # --------------------------------
 # PHP
 # --------------------------------
-    - name: -- VERIFY PHP VHOSTS --
-      command: "curl -H 'Host: {{ item }}' http://127.0.0.1/"
+    - name: -- VERIFY PHP SITES --
+      uri:
+        url: "http://{{ item.name}}/"
+        return_content: yes
       register: p
-      changed_when: false
-      failed_when: p.stdout.find('PHP Version') == -1
-      with_items: ['test-php.local', 'test-php-index.local']
+      with_items: "{{ nginx_sites }}"
+      when: >
+        item.template is defined and
+        (item.template == '_php' or item.template == '_php_index' or item.template == '_php_index2')
+      failed_when: p.content.find('PHP Version ' + item.php_version if 'php_version' in item else nginx_php.0.version) == -1
+
+    - name: -- VERIFY INDEX2 --
+      uri:
+        url: "http://test-php-index2.local/lorem.php?ipsum=sit&dolor=amet"
+        return_content: yes
+      register: p2
+      failed_when: p2.content.find('PHP Version') == -1
 
 # --------------------------------
 # Basic Auth
 # --------------------------------
     - name: -- VERIFY AUTH BASIC NONE --
-      command: "curl -H 'Host: test-htpasswd.local' http://127.0.0.1/hello/"
-      changed_when: false
-      register: authnone
-      failed_when: authnone.stdout.find('401 Authorization Required') == -1
+      uri:
+        url: "http://test-htpasswd.local/hello/"
+        status_code: 401
+
     - name: -- VERIFY AUTH BASIC FAIL --
-      command: "curl -u fail:fail -H 'Host: test-htpasswd.local' http://127.0.0.1/hello/"
-      changed_when: false
-      register: authfail
-      failed_when: authfail.stdout.find('401 Authorization Required') == -1
+      uri:
+        url: "http://test-htpasswd.local/hello/"
+        status_code: 401
+        user: "fail"
+        password: "fail"
+        force_basic_auth: yes
+
     - name: -- VERIFY AUTH BASIC OK --
-      command: "curl -u hanx:qwerty -H 'Host: test-htpasswd.local' http://127.0.0.1/hello/"
-      changed_when: false
-      register: authok
-      failed_when: authok.stdout.find('hello') == -1
+      uri:
+        url: "http://test-htpasswd.local/hello/"
+        user: "hanx"
+        password: "qwerty"
+        force_basic_auth: yes
+
     - name: -- VERIFY AUTH BASIC FAIL GLOBAL --
-      command: "curl -u fail:fail -H 'Host: test-htpasswd-all.local' http://127.0.0.1/"
-      changed_when: false
-      register: authgfail
-      failed_when: authgfail.stdout.find('401 Authorization Required') == -1
-    - name: -- VERIFY AUTH BASIC OK --
-      command: "curl -u hanx:qwerty -H 'Host: test-htpasswd-all.local' http://127.0.0.1/"
-      changed_when: false
-      register: authgok
-      failed_when: authgok.stdout.find('401 Authorization Required') != -1
+      uri:
+        url: "http://test-htpasswd-all.local/"
+        status_code: 401
+        user: "fail"
+        password: "fail"
+        force_basic_auth: yes
+
+    - name: -- VERIFY AUTH BASIC OK GLOBAL --
+      uri:
+        url: "http://test-htpasswd-all.local/"
+        user: "hanx"
+        password: "qwerty"
+        force_basic_auth: yes
 
 # --------------------------------
 # BackupPC
 # --------------------------------
     - name: -- VERIFY BACKUPPC --
-      command: "curl -u hanx:qwerty -H 'Host: backuppc.local' http://127.0.0.1/"
-      changed_when: false
+      uri:
+        url: "http://backuppc.local/"
+        user: "hanx"
+        password: "qwerty"
+        force_basic_auth: yes
+        return_content: yes
       register: authbpc
-      failed_when: authbpc.stdout.find('BackupPC Server Status') == -1
       when: ansible_distribution != 'FreeBSD'
+      failed_when: authbpc.content.find('BackupPC Server Status') == -1
 
 # --------------------------------
-# Nagios
+# Nagios (not avaiblable on Debian >= 9 and not tested on FreeBSD)
 # --------------------------------
+    - block:
+
       - name: -- VERIFY NAGIOS3 PHP --
-      command: "curl -u nagiosadmin:nagios -H 'Host: nagios3.local' http://127.0.0.1/side.php"
-      changed_when: false
+        uri:
+          url: "http://nagios3.local/side.php"
+          user: "nagiosadmin"
+          password: "nagios"
+          force_basic_auth: yes
+          return_content: yes
         register: nagios_php
-      failed_when: nagios_php.stdout.find('Nagios Core') == -1
+        failed_when: nagios_php.content.find('Nagios Core') == -1
+
       - name: -- VERIFY NAGIOS3 CGI --
-      command: "curl -u nagiosadmin:nagios -H 'Host: nagios3.local' http://127.0.0.1/cgi-bin{% if ansible_distribution == 'Debian' %}/nagios3{% endif %}/summary.cgi"
-      changed_when: false
+        uri:
+          url: "http://nagios3.local/cgi-bin{% if ansible_distribution == 'Debian' %}/nagios3{% endif %}/summary.cgi"
+          user: "nagiosadmin"
+          password: "nagios"
+          force_basic_auth: yes
+          return_content: yes
         register: nagios_cgi
-      failed_when: nagios_cgi.stdout.find('Nagios Event Summary') == -1
+        failed_when: nagios_cgi.content.find('Nagios Event Summary') == -1
+
+      when: ansible_distribution == 'Debian' and ansible_distribution_major_version | version_compare('9', 'lt')
 
 # --------------------------------
 # SSL
 # --------------------------------
     - name: -- VERIFY SSL --
-      command: "curl --insecure -H 'Host: {{ item }}' https://127.0.0.1/"
-      changed_when: false
+      uri:
+        url: "https://{{ item }}/"
+        return_content: yes
+        validate_certs: no
       register: sslok
-      failed_when: sslok.stdout.find('Index HTML test OK') == -1
+      failed_when: sslok.content.find('Index HTML test OK') == -1
       with_items:
         - 'test-ssl-predeployed.local'
         - 'test-ssl.local'
+        - '{{ ngrok.stdout }}'
+
     - name: -- VERIFY SSL REDIRECT --
-      command: "curl -v --insecure -H 'Host: {{ item }}' http://127.0.0.1/"
-      changed_when: false
+      uri:
+        url: "http://{{ item.name }}/"
+        validate_certs: no
+        status_code: 301
+        return_content: yes
+        follow_redirects: none
       register: sslredirok
-      failed_when: >
-        sslredirok.stderr.find('< Location') == -1 and
-        sslredirok.stderr.find('https://{{ item }}/') == -1
+      failed_when: '"https://%s%s" % (item.name, ":" + item.port if item.port is defined else "") not in sslredirok.location'
       with_items:
-        - 'test-ssl-redirect.local'
+        - name: 'test-ssl-redirect.local'
+        - name: 'test-ssl-redirect-many.local'
+          port: '8443'
+        - name: 'test-ssl-redirect-many2.local'
+          port: '8443'
 
 # --------------------------------
-# Default vhosts
+# Default sites
 # --------------------------------
-    - name: -- VERIFY DEFAULT VHOST --
-      command: "curl -v http://127.0.0.1/"
-      changed_when: false
+    - name: -- VERIFY DEFAULT SITE --
+      uri:
+        url: 'http://127.0.0.1/'
+        return_content: yes
       register: vdefault
       failed_when: >
-        vdefault.stdout.find('Index HTML test OK') == -1 or
-        vdefault.stderr.find('X-ansible-default') == -1
-    - name: -- VERIFY DEFAULT SSL VHOST --
-      command: "curl --insecure -v https://127.0.0.1/"
-      changed_when: false
-      register: defaultssl
-      failed_when: >
-        defaultssl.stdout.find('Index HTML test OK') == -1 or
-        defaultssl.stderr.find('X-ansible-default') == -1
-    - name: -- VERIFY NOT DEFAULT VHOST --
-      command: "curl -v -H 'Host: test-php.local' http://127.0.0.1/"
-      changed_when: false
-      register: vphp
-      failed_when: vphp.stderr.find('X-ansible-default') != -1
-    - name: -- VERIFY NOT DEFAULT SSL VHOST --
-      command: "curl --insecure -v -H 'Host: test-ssl.local' https://127.0.0.1/"
-      changed_when: false
-      register: notdefaultssl
-      failed_when: notdefaultssl.stderr.find('X-ansible-default') != -1
-    - name: -- VERIFY DEFAULT VHOST + STUB_STATUS --
-      command: "curl -v http://127.0.0.1/status"
-      changed_when: false
+        vdefault.content.find('Index HTML test OK') == -1 or
+        vdefault.x_ansible_default is not defined
+
+    - name: -- VERIFY DEFAULT SITE + STUB STATUS--
+      uri:
+        url: 'http://127.0.0.1/status'
+        return_content: yes
       register: vdefault_status
       failed_when: >
-        vdefault_status.stderr.find('X-ansible-default') == -1 or
-        vdefault_status.stdout.find('Active connections') == -1
+        vdefault_status.content.find('Active connections') == -1 or
+        vdefault_status.x_ansible_default is not defined
+
+    - name: -- VERIFY DEFAULT SSL SITE --
+      uri:
+        url: 'https://127.0.0.1/'
+        return_content: yes
+        validate_certs: no
+      register: vdefault
+      failed_when: >
+        vdefault.content.find('Index HTML test OK') == -1 or
+        vdefault.x_ansible_default is not defined
+
+    - name: -- VERIFY NOT DEFAULT SITE --
+      uri:
+        url: 'http://test-php.local/'
+        return_content: yes
+      register: vphp
+      failed_when: vphp.x_ansible_default is defined
+
+    - name: -- VERIFY NOT DEFAULT SSL SITE --
+      uri:
+        url: 'https://test-ssl.local/'
+        return_content: yes
+        validate_certs: no
+      register: notdefaultssl
+      failed_when: notdefaultssl.x_ansible_default is defined
 
 # --------------------------------
 # Check HTTP2

vars/Debian.yml

@@ -2,7 +2,7 @@ nginx_events_use: 'epoll'
 nginx_pid: '/run/nginx.pid'
 nginx_etc_dir: '/etc/nginx'
 
-# Specific vhosts
+# Specific sites
 nginx_nagios_root: '/usr/share/nagios3/htdocs'
 nginx_nagios_stylesheets: '/etc/nagios3/stylesheets'
 nginx_fcgiwrap_sock: '/var/run/fcgiwrap.socket'

vars/FreeBSD.yml

@@ -2,6 +2,8 @@ nginx_events_use: 'kqueue'
 nginx_pid: '/var/run/nginx.pid'
 nginx_etc_dir: '/usr/local/etc/nginx'
 
-# Specific vhosts
+# Specific sites
 nginx_nagios_root: '/usr/local/www/nagios'
 nginx_fcgiwrap_sock: '/var/run/fcgiwrap/fcgiwrap.sock'
+
+nginx_acmesh_bin: '/usr/local/sbin/acme.sh'

vars/main.yml

@@ -23,11 +23,30 @@ nginx_upstream_server_params:
 #    min_version: '1.5.12'
 
 nginx_dirs:
-  - "{{ nginx_htpasswd_dir }}"
-  - "{{ nginx_ssl_dir }}"
-  - "{{ nginx_helper_dir }}"
+  - dir: "{{ nginx_htpasswd_dir }}"
+    mode: "0750"
+    owner: "{{ nginx_user }}"
+  - dir: "{{ nginx_ssl_dir }}"
+    mode: "0750"
+    owner: "root"
+  - dir: "{{ nginx_helper_dir }}"
+    mode: "0755"
+    owner: "root"
+  - dir: "{{ nginx_etc_dir }}/modules-available"
+    mode: "0755"
+    owner: "root"
+  - dir: "{{ nginx_etc_dir }}/modules-enabled"
+    mode: "0755"
+    owner: "root"
 
 nginx_templates_no_dir:
-  - '_proxy'
-  - '_nagios3'
   - '_backuppc'
+  - '_nagios3'
+  - '_proxy'
+
+nginx_servers_default_headers:
+  'X-Frame-Options': 'DENY always'
+  'X-Content-Type-Options': 'nosniff always'
+  'X-XSS-Protection': '1; mode=block'
+
+nginx_acmesh_bin: "{{ nginx_acmesh_dir }}/acme.sh"