Fix ansible lint

Merge branch 'master' into debian_11
Migrate to new TravisCI version
2026-02-28 09:22:10 +07:00 · 2021-09-03 12:19:32 +02:00 · 2021-09-03 12:08:30 +02:00 · 2021-09-01 12:05:07 +02:00 · 2021-09-01 11:58:39 +02:00 · 2021-09-01 11:45:44 +02:00
60 changed files with 1810 additions and 1082 deletions
--- a/.ansible-lint
+++ b/.ansible-lint
@@ -0,0 +1,4 @@
 ---
 enable_list:
  - fqcn-builtins
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,5 @@
 .vagrant*
 *.swp
 *.retry
 *.pyc
 /tests/HanXHX.php
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,20 +1,52 @@
-matrix:
+---
  include:
    - env: PLATFORM=debian-jessie ORIGIN=debian    NGINX_PHP56=true NGINX_PHP70=false NGINX_BACKPORTS=false DOTDEB=false
    - env: PLATFORM=debian-jessie ORIGIN=backports NGINX_PHP56=true NGINX_PHP70=false NGINX_BACKPORTS=true  DOTDEB=false
    - env: PLATFORM=debian-jessie ORIGIN=dotdeb    NGINX_PHP56=true NGINX_PHP70=true  NGINX_BACKPORTS=false DOTDEB=true
-sudo: required
+env:
  global:
    - VAGRANT_VERSION='2.2.18'
  jobs:
    - PLATFORM='docker-debian-stretch'  ANSIBLE_VERSION='>=2.11,<2.12'
    - PLATFORM='docker-debian-bullseye' ANSIBLE_VERSION='>=2.11,<2.12'
    - PLATFORM='docker-debian-buster'   ANSIBLE_VERSION='>=2.11,<2.12'
-dist: trusty
+os:
  - linux
 dist: focal
 language: python
 python:
  - 3.8
 services:
  - docker
 before_install:
  - sudo apt-get -q update
  - sudo apt-get install -y yamllint
  - sudo wget -nv https://releases.hashicorp.com/vagrant/${VAGRANT_VERSION}/vagrant_${VAGRANT_VERSION}_x86_64.deb
  - sudo dpkg -i vagrant_${VAGRANT_VERSION}_x86_64.deb
 install:
  - sudo pip install "ansible-core$ANSIBLE_VERSION"
  - sudo pip install ansible-lint
  - ansible-galaxy collection install community.general
  - ansible-galaxy install -p ./tests HanXHX.php
 script:
-  - docker build -f tests/$PLATFORM.Dockerfile -t test-$PLATFORM . && docker run -e "DOTDEB=$DOTDEB" -e "NGINX_PHP56=$NGINX_PHP56" -e "NGINX_PHP70=$NGINX_PHP70" -e "NGINX_BACKPORTS=$NGINX_BACKPORTS" --name $PLATFORM test-$PLATFORM
+  - VAGRANT_DEFAULT_PROVIDER=docker vagrant up $PLATFORM
  - >
    VAGRANT_DEFAULT_PROVIDER=docker vagrant provision $PLATFORM
    | grep -q 'changed=0.*failed=0'
    && (echo 'Idempotence test: pass' && exit 0)
    || (echo 'Idempotence test: fail' && exit 1)
  - VAGRANT_DEFAULT_PROVIDER=docker vagrant status
  - >
    yamllint .
    && (echo 'YAML lint test: pass' && exit 0)
    || (echo 'YAML lint test: fail' && exit 1)
  - >
    ansible-lint -v tests/test.yml
    && (echo 'Ansible lint test: pass' && exit 0)
    || (echo 'Ansible lint test: fail' && exit 1)
 notifications:
  webhooks: https://galaxy.ansible.com/api/v1/notifications/
--- a/.yamllint.yml
+++ b/.yamllint.yml
@@ -0,0 +1,6 @@
 ---
 extends: default
 rules:
  line-length: disable
--- a/README.md
+++ b/README.md
@@ -1,26 +1,39 @@
 Nginx for Debian/FreeBSD Ansible role
 =====================================
-[![Ansible Galaxy](http://img.shields.io/badge/ansible--galaxy-HanXHX.nginx-blue.svg)](https://galaxy.ansible.com/HanXHX/nginx/) [![Build Status](https://travis-ci.org/HanXHX/ansible-nginx.svg?branch=master)](https://travis-ci.org/HanXHX/ansible-nginx)
+[![Ansible Galaxy](http://img.shields.io/badge/ansible--galaxy-HanXHX.nginx-blue.svg)](https://galaxy.ansible.com/HanXHX/nginx/) [![Build Status](https://app.travis-ci.com/HanXHX/ansible-nginx.svg?branch=master)](https://app.travis-ci.com/HanXHX/ansible-nginx)
 Install and configure Nginx on Debian/FreeBSD.
 Features:
 - SSL/TLS "hardened" support
- Manage basic auth on vhost / location
+- Manage basic auth on site / location
 - Proxy + Upstream
 - Fast PHP configuration
- Preconfigured vhost templates (should work on many app)
+- Preconfigured site templates (should work on many app)
- Auto-configure HTTP2 on SSL/TLS vhosts
+- Auto-configure HTTP2 on SSL/TLS sites
 - Manage dynamic modules (install and loading)
 - Deploy custom facts.d with sites config
 - Can listen with proxy protocol
 - Generate certificates with acme.sh (let's encrypt) -- *EXPERIMENTAL*
 Supported OS:
 | OS                   | Working | Stable (active support) |
 | -------------------- | ------- | ----------------------- |
 | Debian Jessie (8)    | Yes     | Check latest supported version ([1.5.0](https://github.com/HanXHX/ansible-nginx/releases/tag/1.5.0)) |
 | Debian Stretch (9)   | Yes     | Yes                     |
 | Debian Buster (10)   | Yes     | Yes                     |
 | Debian Bullseye (11) | Yes     | Yes                     |
 | FreeBSD 11           | Yes     | No                      |
 | FreeBSD 12           | Yes     | No                      |
 Requirements
 ------------
-None. If you set true to `nginx_backports`, you must install backports repository before lauching this role.
+- Ansible >=2.11
 - If you set true to `nginx_backports`, you must install backports repository before lauching this role.
 Role Variables
 --------------
@@ -44,6 +57,7 @@ FreeBSD:
 - `nginx_error_log_level`: default log level
 - `nginx_auto_config_httpv2`: boolean, auto configure HTTP2 where possible
 - `nginx_fastcgi_fix_realpath`: boolean, use realpath for fastcgi (fix problems with symlinks and PHP opcache)
 - `nginx_default_hsts`: string, default header sent for HSTS
 ### Nginx Configuration
@@ -53,12 +67,22 @@ FreeBSD:
 - `nginx_events_*`: all variables in events block
 - `nginx_http_*`: all variables in http block
 - `nginx_custom_http`: instructions list (will put data in `/etc/nginx/conf.d/custom.conf`)
- `nginx_dyn_modules`: dynamic module list to load
+- `nginx_module_packages`: package list module to install (Debian)
 - `nginx_load_modules`: module list to load (full path), should be used only on FreeBSD
 ### Misc
 - `nginx_debug_role`: set _true_ if you need to see output of no\_log tasks
 About modules
 -------------
 Last updates from Debian backports loads modules from /etc/nginx/modules-enabled directory. Disabling/Enabling is not supported anymore. Please wait further update.
 Fine configuration
 ------------------
-[Vhost configuration](doc/vhost.md)
+[Site configuration](doc/site.md)
 [PHP configuration](doc/php.md)
@@ -70,19 +94,29 @@ Fine configuration
 [FreeBSD](doc/freebsd.md)
 [acme.sh](doc/acme.md)
 Note
 ----
 - Active support for Debian.
 - FreeBSD support is experimental (no Travis). I only test (for the moment) 10.2 (but it can work on other versions).
 - I don't manage BackupPC for FreeBSD (PR welcome).
 Dependencies
 ------------
 None
 If you need to dev this role locally
 ------------------------------------
 Before use vagrant, run once:
 ```
 ansible-galaxy install -p ./tests/ HanXHX.php,master
 ```
 Example Playbook
 ----------------
@@ -93,6 +127,19 @@ License
 GPLv2
 Donation
 --------
 If this code helped you, or if you’ve used them for your projects, feel free to buy me some :beers:
 - Bitcoin: `1BQwhBeszzWbUTyK4aUyq3SRg7rBSHcEQn`
 - Ethereum: `63abe6b2648fd892816d87a31e3d9d4365a737b5`
 - Litecoin: `LeNDw34zQLX84VvhCGADNvHMEgb5QyFXyD`
 - Monero: `45wbf7VdQAZS5EWUrPhen7Wo4hy7Pa7c7ZBdaWQSRowtd3CZ5vpVw5nTPphTuqVQrnYZC72FXDYyfP31uJmfSQ6qRXFy3bQ`
 No crypto-currency? :star: the project is also a way of saying thank you! :sunglasses:
 Author Information
 ------------------
--- a/77
+++ b/77
@@ -6,51 +6,84 @@
 Vagrant.configure("2") do |config|
  vms_debian = [
-    { :name => "debian-jessie",           :box => "debian/jessie64",           :vars => { "nginx_php56": true,  "nginx_php70": false, "dotdeb": false, "nginx_backports": false }},
+    { :name => "debian-stretch", :box => "debian/stretch64", :vars => {} },
-    { :name => "debian-jessie-backports", :box => "debian/jessie64",           :vars => { "nginx_php56": true,  "nginx_php70": false, "dotdeb": false, "nginx_backports": true  }},
+    { :name => "debian-buster", :box => "debian/buster64", :vars => {} },
-    { :name => "debian-jessie-dotdeb",    :box => "debian/jessie64",           :vars => { "nginx_php56": true,  "nginx_php70": true,  "dotdeb": true,  "nginx_backports": false }},
+    { :name => "debian-bullseye", :box => "debian/bullseye64", :vars => {} }
    { :name => "debian-stretch",          :box => "sharlak/debian_stretch_64", :vars => { "nginx_php56": false, "nginx_php70": true,  "dotdeb": false, "nginx_backports": false }}
  ]
  vms_freebsd = [
-		{ :name => "freebsd-10.2", :box => "freebsd/FreeBSD-10.2-STABLE" }
+    { :name => "freebsd-11", :box => "freebsd/FreeBSD-11.3-STABLE", :vars => {} },
    { :name => "freebsd-12", :box => "freebsd/FreeBSD-12.1-STABLE", :vars => {} }
  ]
-  config.vm.provider "virtualbox" do |v|
+  conts = [
-    v.cpus = 1
+    { :name => "docker-debian-stretch", :docker => "hanxhx/vagrant-ansible:debian9", :vars => {} },
-    v.memory = 256
+    { :name => "docker-debian-buster", :docker => "hanxhx/vagrant-ansible:debian10", :vars => {} },
    { :name => "docker-debian-bullseye", :docker => "hanxhx/vagrant-ansible:debian11", :vars => {} },
  ]
  config.vm.network "private_network", type: "dhcp"
  config.vm.synced_folder ".", "/vagrant", id: "vagrant-root", disabled: true
  conts.each do |opts|
    config.vm.define opts[:name] do |m|
      m.vm.provider "docker" do |d|
        d.image = opts[:docker]
        d.remains_running = true
        d.has_ssh = true
      end
      if opts[:name].include? "bullseye"
        m.vm.provision "shell", inline: "[ -f '/root/first_provision' ] || (apt-get update -qq && apt-get -y dist-upgrade && touch /root/first_provision)"
      end
      m.vm.provision "ansible" do |ansible|
        ansible.playbook = "tests/test.yml"
        ansible.verbose = 'vv'
        ansible.become = true
        ansible.extra_vars = opts[:vars].merge({ "nginx_debug_role": true, is_docker: true })
      end
    end
  end
  vms_debian.each do |opts|
    config.vm.define opts[:name] do |m|
      m.vm.box = opts[:box]
-      m.vm.network "private_network", type: "dhcp"
+      m.vm.provider "virtualbox" do |v|
        v.cpus = 1
        v.memory = 256
      end
      if opts[:name].include? "bullseye"
        m.vm.provision "shell", inline: "[ -f '/root/first_provision' ] || (apt-get update -qq && apt-get -y dist-upgrade && touch /root/first_provision)"
      end
      m.vm.provision "ansible" do |ansible|
        ansible.playbook = "tests/test.yml"
        ansible.verbose = 'vv'
-        ansible.sudo = true
+        ansible.become = true
-				ansible.extra_vars = opts[:vars]
+        ansible.extra_vars = opts[:vars].merge({ "nginx_debug_role": true })
      end
    end
  end
-  # See: https://forums.freebsd.org/threads/52717/
+
  vms_freebsd.each do |opts|
    config.vm.base_mac = "080027D14C66"
    config.vm.define opts[:name] do |m|
      m.vm.box = opts[:box]
-      m.vm.network "private_network", type: "dhcp"
+      m.vm.provider "virtualbox" do |v, override|
-      m.vm.guest = :freebsd
+        override.ssh.shell = "csh"
-      m.vm.synced_folder ".", "/vagrant", id: "vagrant-root", disabled: true
+        v.cpus = 2
-      m.ssh.shell = "sh"
+        v.memory = 512
-      m.vm.base_mac = "080027D14C66"
+      end
-      m.vm.provision "shell", inline: "pkg install -y python bash"
+      m.vm.provision "shell", inline: "[ -e /usr/local/bin/bash ] || pkg install -y python bash"
      m.vm.provision "ansible" do |ansible|
        ansible.playbook = "tests/test.yml"
        ansible.verbose = 'vv'
-        ansible.sudo = true
+        ansible.become = true
-        ansible.extra_vars = {
+        ansible.extra_vars = opts[:vars].merge({ "nginx_debug_role": true, "ansible_python_interpreter": '/usr/local/bin/python' })
          ansible_python_interpreter: '/usr/local/bin/python'
        }
      end
    end
  end
 end
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -16,9 +16,10 @@ nginx_resolver_valid: '300s'
 nginx_resolver_timeout: '5s'
 nginx_error_log_level: 'warn'   # http://nginx.org/en/docs/ngx_core_module.html#error_log
 nginx_auto_config_httpv2: true
-nginx_default_vhost: null
+nginx_default_site: null
-nginx_default_vhost_ssl: null
+nginx_default_site_ssl: null
 nginx_fastcgi_fix_realpath: true
 nginx_default_hsts: 'max-age=63072000; includeSubDomains'
 #
 # Nginx directories
@@ -32,13 +33,7 @@ nginx_helper_dir: '{{ nginx_etc_dir}}/helper'
 #
 # PHP
-nginx_php56: false
+nginx_php: []
 nginx_php70: false
 nginx_php56_sockets:
  - unix_socket: "/run/php5-fpm.sock"
 nginx_php70_sockets:
  - unix_socket: "/run/php/php7.0-fpm.sock"
 nginx_upstreams: []
 #
 # Nginx configuration
@@ -91,9 +86,26 @@ nginx_http_gzip_disable: '"msie6"'
 nginx_custom_http: []
 #
-# Vhosts
+# Nginx default
 #
-nginx_vhosts: []
+nginx_default_listen:
  - '80'
  - '[::]:80'
 nginx_default_listen_ssl:
  - '443'
  - '[::]:443'
 nginx_default_listen_proxy_protocol: []
 nginx_default_listen_proxy_protocol_ssl: []
 #
 # Sites
 #
 nginx_sites: []
 #
 # Upstreams
 #
 nginx_upstreams: []
 #
 # htpasswd
@@ -108,7 +120,8 @@ nginx_ssl_pairs: []
 #
 # Dynamic modules
 #
-nginx_dyn_modules: []
+nginx_module_packages: []
 nginx_load_modules: []
 #
 # Diffie-Hellman
@@ -117,9 +130,15 @@ nginx_dh: null
 nginx_dh_path: '{{ nginx_ssl_dir }}/dhparam.pem'
 nginx_dh_length: 2048
-# Extra
+#
 # acme.sh
 #
 nginx_acmesh: false
 nginx_acmesh_dir: "/opt/acme.sh"
 nginx_acmesh_git_dir: "/tmp/acme.sh"
 nginx_acmesh_test: false
-# Note:
+#
-#   - On Debian, if you use Owncloud from Upstream repository, you must set this var to "/var/www/owncloud"
+# Debug
-#   - TODO: force this var in vars/FreeBSD.yml
+#
-nginx_owncloud_root: '/usr/share/owncloud'
+nginx_debug_role: false
--- a/doc/acme.md
+++ b/doc/acme.md
@@ -0,0 +1,15 @@
 acme.sh
 =======
 Notes
 -----
 This feature is experimental.
 Variables
 ---------
 - `nginx_acmesh`: (bool) Enable/Disable acme.sh feature
 - `nginx_acmesh_dir`: (string) Install directory
 - `nginx_acmesh_git_dir`: (string) Git directory (removed after install)
 - `nginx_acmesh_test`: (bool) If set to true (default false), uses test mode
--- a/doc/auth.md
+++ b/doc/auth.md
@@ -4,7 +4,7 @@ Auth Basic management
 Description
 -----------
-Auth basic is managed in a separate list. Each auth file can be shared between locations or vhosts.
+Auth basic is managed in a separate list. Each auth file can be shared between locations or sites.
 Each htpasswd has few keys:
@@ -19,8 +19,8 @@ Example
 -------
 ```yaml
-nginx_vhosts:
+nginx_sites:
-# htpasswd on all vhost
+# htpasswd on all site
  - name: test.local
    htpasswd: 'hello'
    template: '_base'
--- a/doc/freebsd.md
+++ b/doc/freebsd.md
@@ -1,4 +1,12 @@
 Freebsd
 =======
 Limitations
 -----------
 Due to Ansible + FreeBSD limitations (`ansible_processor_vcpus`), You must explicitely set `nginx_worker_processes`.
 About modules
 -------------
 Dynamic modules must be set with full path (see `nginx_load_modules` path).
--- a/doc/php.md
+++ b/doc/php.md
@@ -1,18 +1,22 @@
 PHP
 ===
- `nginx_php56` and `nginx_php70`: boolean if you need to preconfigure PHP (default: false)
+`nginx_php`:
- `nginx_php##_sockets`: list of sockets (see bellow)
+  - `upstream_name` (M)
  - `sockets`: (O) socket list
 If `sockets` is not provided, if uses local unix socket (based on PHP version).
 You should see [Nginx upstream module doc](http://nginx.org/en/docs/http/ngx_http_upstream_module.html).
 Each socket have:
- `unix_socket`
+- `unix`
 - `host`
 - `port`
 - `weight`
 - `max_fails`
 - `fail_timeout`
-With default configuration, it works fine with PHP-FPM.
+XOR
 - `host` (M)
 - `port` (M)
 - `weight` (O)
 - `max_fails` (O)
 - `fail_timeout` (O)
--- a/doc/vhost.md
+++ b/doc/vhost.md
@@ -1,49 +1,59 @@
-Vhost management
+Site management
-================
+===============
 You can see many examples in: [tests/test.yml](../tests/test.yml).
-`nginx_vhosts`: List of dict. A vhost has few keys. See bellow.
+`nginx_sites`: List of dict. A site has few keys. See bellow.
 Common
 ------
 - `name`: (M) Domain or list of domain used.
- `template`: (D) template used to create vhost. Optional if you set `delete` to true or using `redirect_tor`.
+- `state`: (O) Site status. Can be "present" (default), "absent" and "disabled".
- `filename`: (O) Specify filename in /etc/nginx/sites-*. Do NOT specify default (reserved keyword). It will be used for log filenames and directories creation.
+- `filename`: (O) Specify filename in `/etc/nginx/sites-*`. Do NOT specify default (reserved keyword). It will be used for log filenames and directories creation.
 - `state`: (O) Vhost status. Can be "present" (default), "absent" and "disabled".
 - `redirect_from`: (O) Domain list to redirect to the first `name`. You can use this key to redirect non-www to www
 - `redirect_to`: (O) Redirect all requests to this domain. Please set scheme (http:// or https:// or $sheme).
 - `headers`: (O) Set additionals header as key/value list. You can append "always" to the value. Show [nginx doc](http://nginx.org/en/docs/http/ngx_http_headers_module.html).
 - `redirect_to_code`: Redirect code (default: 302)
 - `redirect_https`: (O) Boolean. Redirect HTTP to HTTPS. If "true", you _MUST_ set `proto` to ```['https']```.
 - `location`: (O) Add new custom locations (it does not overwrite!)
 - `location_order`: (O) Due to non preditive `location` order, you can provide the good order (see test-location.local in [tests/test.yml](../tests/test.yml)).
 - `more`: (O) Add more custom infos.
 - `upstream_params`: (O) Add upstream params (useful when you want to pass variables to PHP)
 - `override_try_files`: (O) overrides default try\_files defined in template
 - `manage_local_content`: (O) Boolean. Set to false if you do not want to manage local content (images, css...). This option is useless if you use `_proxy` template or `redirect_to` feature.
 - `htpasswd`: (O) References name key in `nginx_htpasswd`. Enable auth basic on all vhost. Set "false" to disable.
 - `proto`: (O) list of protocol used. Default is a list with "http". If you need http and https, you must set a list with "http" and "https". You can only set "https" without http support.
 - `ssl_name`: (D) name of the key used when using TLS/SSL. Optional when `proto` contains "https". If you don't set this value, it will search by `name`.
 - `ssl_template` (O) "strong" (default) or "legacy". You can disable SSL helpers and add your own directives by setting "false".
 - `php_version` (O) Sepecify PHP version (5 or 7)
 - `http_proxy_protocol_port` (O) Enable proxy protocol on http port.
 - `https_proxy_protocol_port` (O) Enable proxy protocol on https port.
 (O): Optional
 (M): Mandatory
 (D): Depends other keys...
-Templates
+You can use 2 config (at the same time time):
---------
+
 - pre-built: Some configuration are templated (Wordpress, Symfony...), auto create root dir, perform an "A+" on ssllabs for https... etc
 - custom: Push your own site config template. Usefull when you have a complex configuration.
 Pre-built site config
 ---------------------
 # Keys
 - `template`: (M) template used to create site. Optional if you set `state`=`absent` or using `redirect_to`.
 - `redirect_from`: (O) Domain list to redirect to the first `name`. You can use this key to redirect non-www to www
 - `redirect_to`: (O) Redirect all requests to this domain. Please set scheme (http:// or https:// or $sheme).
 - `headers`: (O) Set additionals header as key/value list. You can append "always" to the value. Show [nginx doc](http://nginx.org/en/docs/http/ngx_http_headers_module.html).
 - `redirect_to_code`: Redirect code (default: 302)
 - `redirect_https`: (O) Boolean. Redirect HTTP to HTTPS. If "true", you _MUST_ set `proto` to `['https']`.
 - `location`: (O) Add new custom locations (it does not overwrite!)
 - `location_order`: (O) Due to non preditive `location` order, you can provide the good order (see test-location.local in [tests/test.yml](../tests/test.yml)).
 - `location_before`: (O) Add new custom locations before generated location by template
 - `location_order_before`: (O) Manages location order for `location_before`
 - `more`: (O) Add more custom infos.
 - `upstream_params`: (O) Add upstream params (useful when you want to pass variables to PHP)
 - `override_try_files`: (O) overrides default try\_files defined in template
 - `manage_local_content`: (O) Boolean. Set to false if you do not want to manage local content (images, css...). This option is useless if you use `_proxy` template or `redirect_to` feature.
 - `htpasswd`: (O) References name key in `nginx_htpasswd`. Enable auth basic on all site. Set "false" to disable.
 - `proto`: (O) list of protocol used. Default is a list with "http". If you need http and https, you must set a list with "http" and "https". You can only set "https" without http support.
 - `ssl_name`: (D) name of the key used when using TLS/SSL. Optional when `proto` contains "https". If you don't set this value, it will search by `name`.
 - `ssl_template` (O) "strong" (default) or "legacy". You can disable SSL helpers and add your own directives by setting "false".
 - `listen_proxy_protocol` (O) Enable proxy protocol on http port.
 - `listen_proxy_protocol_ssl` (O) Enable proxy protocol on https port.
 - `hsts` (O) overwrite default header for hsts
 ### Templates
 - `_base`: static template
 - `_backuppc`: access to [BackupPC](http://backuppc.sourceforge.net/) (be careful: you need to install [fcgiwrap](https://packages.debian.org/jessie/fcgiwrap))
 - `_dokuwiki`
 - `_redirect`: should not be called explicitly
 - `_nagios3`: access to Nagios3 (be careful: you need to install [fcgiwrap](https://packages.debian.org/jessie/fcgiwrap))
 - `_owncloud`: access to Owncloud (note: you must set `nginx_apt_package` to //nginx-extras//) **UNSTABLE**
 - `_phalcon`: Phalcon PHP Framework
 - `_php`: PHP base template. Can work with many frameworks/tools
 - `_php_index`: Same as above. But you can only run index.php
@@ -52,22 +62,80 @@ Templates
 Templates works as parent-child.
-About proxy template
+### About proxy template
 --------------------
 Proxy template allow you to use Nginx as reverse proxy. Usefull when you have an application service such as Redmine, Jenkins...
-You have many key added to vhost key:
+You have many key added to site key:
 - `upstream_name`: (O) upstream name used to pass proxy
- `proxy_params`: (M) list of raw params passed to the vhost
+- `proxy_params`: (M) list of raw params passed to the site
 (O) : Optional
-Default vhosts
+### Default sites
--------------
+
 You can manage default site by setting domain name to these variables.
 - `nginx_default_site`
 - `nginx_default_site_ssl`
 *IT WORKS ONLY WITH PRE-BUIT SITES*
 ### Example
 ```yaml
 - nginx_sites:
  - name: 'mywebsite.com'
    template: '_wordpress'
    headers:
      x-ansibled: '1'
    manage_local_content: false
 ```
 Custom site config 
 ------------------
 ### Keys
 - `custom_template`: (M) template path used 
 You can add some extra infos if needed.
 ### Example:
 ```yaml
 - nginx_sites:
  - name: 'mycustom-website.com'
    custom_template: 'my/template_dir/the-template.conf.j2'
    allow_admin: '192.168.0.0/24'
 ```
 In `my/template_dir/the-template.conf.j2`:
 ```
 #
 # {{ ansible_managed }} - {{ item.name }}
 #
 server {
 	listen 8080 http2 proxy_protocol;
    server_name {{ item.name }};
 	index index.html;
    root /var/www/{{ item.name }};
 	location / {
 		try_files $uri $uri/ =404;
 	}
 	location /admin {
 		allow {{ item.allow_admin }};
 		deny all;
 	}
 }
 ```
 You can manage default vhost by setting domain name to these variables.
 - `nginx_default_vhost`
 - `nginx_default_vhost_ssl`
--- a/doc/ssl.md
+++ b/doc/ssl.md
@@ -15,25 +15,42 @@ Variables
 Cert/Key pairs
 --------------
-This list have 3 mandatory keys:
+Each pair must have a `name`.
 Note: `name` is used to deploy key/cert. With defaults values dans `name` = "foo", key is -> /etc/nginx/ssl/foo/foo.key
- `name`: MUST be unique
+### Content mode
 Key/Cert content is stored in variable. Usefull with vault.
 - `key`: content of the private key
 - `cert`: content of the public key
-OR
+### Remote file
 You can use these variables if you use another task/role to manages your certificates.
 - `dest_cert`: remote path where certificate is located
 - `dest_key`: remote path where key is located
-Note: `name` is used to deploy key/cert. With defaults values dans `name` = "foo", key is -> /etc/nginx/ssl/foo/foo.key
+### Self signed
 Create a self-signed pair and deploy it. Do not use this feature in production.
 - `self_signed`: set true to use this featrure
 - `force`: optional feature (default: false), force regen pair (not idempotent)
 ### Acme
 Uses acme.sh to create free certificates. It uses HTTP-01 challenge. Use this feature for standalone servers.
 - `acme`: set true to use this feature. It uses `name` (can be a string or string list).
 Have a look to [acme configuratuion](acme.md configuration).
 Tips
 ----
- Deploying key/cert is not mandatory with this role. You can manage it in other place ([letsencrypt](https://letsencrypt.org/)? :)). You just need to set `dest_cert` and `dest_key`!
+- In `nginx_sites`, `ssl_name` is mandatory. This role will search in `nginx_ssl_pairs` with site `name` (first in list if it's a list).  
 - In `nginx_vhosts`, `ssl_name` is mandatory. This role will search in `nginx_ssl_pairs` with vhost `name` (first in list if it's a list).
 Diffie-Hellman
 --------------
@@ -44,7 +61,7 @@ Example
 -------
 ```yaml
-nginx_vhosts;
+nginx_sites;
  - name: 'test-ssl.local'
    proto: ['http', 'https']
    template: '_base'
@@ -52,6 +69,13 @@ nginx_vhosts;
  - name: 'test-ssl2.local'
    proto: ['http', 'https']
    template: '_base'
  - name: 'test-ssl3.local'
    proto: ['http', 'https']
    template: '_base'
  - name: 'test-self-signed.local'
    proto: ['http', 'https']
    template: '_base'
    ssl_name: 'this.is.self.signed'
 nginx_ssl_pairs:
  - name: mysuperkey
@@ -64,14 +88,9 @@ nginx_ssl_pairs:
      ....(snip)....
      -----END CERTIFICATE-----
  - name: test-ssl2.local
-    key: |
+    acme: true
-      -----BEGIN RSA PRIVATE KEY-----
+  - name: this.is.self.signed
-      ....(snip)....
+    self_signed: true
-      -----END RSA PRIVATE KEY-----
+    force: false
    cert: |
      -----BEGIN CERTIFICATE-----
      ....(snip)....
      -----END CERTIFICATE-----
 ```
--- a/doc/upstream.md
+++ b/doc/upstream.md
@@ -3,12 +3,10 @@ Upstream management
 `nginx_upstreams`: List of dict. An upstream has few keys. See bellow.
 Note: Few params are unavailable on old Nginx version. But this role do _not_ put it if your version is too old!
 Upstream params
 ---------------
- `name`: upstream name. Can be use in vhost with *proxy_pass http://upstream_name*
+- `name`: upstream name. Can be use in site with *proxy_pass http://upstream_name*
 - `params`: list of param (hash, zone...)
 - `servers`: each upstream MUST have at least 1 server
 - `state`: Optional. Can be 'absent' or 'present'
--- a/filter_plugins/nginx.py
+++ b/filter_plugins/nginx.py
@@ -0,0 +1,68 @@
 def nginx_site_filename(site):
    if 'filename' in site:
        return site['filename']
    else:
        return nginx_site_name(site)
 def nginx_site_name(site):
    if isinstance(site['name'], list):
        return site['name'][0]
    else:
        return site['name']
 def nginx_ssl_dir(pair, ssl_dir):
    return ssl_dir + '/' + nginx_site_filename(pair)
 def nginx_key_path(pair, ssl_dir):
    if 'dest_key' in pair:
        return pair['dest_key']
    else:
        return nginx_ssl_dir(pair, ssl_dir) + '/' + nginx_site_filename(pair) + '.key'
 def nginx_cert_path(pair, ssl_dir):
    if 'dest_cert' in pair:
        return pair['dest_cert']
    else:
        return nginx_ssl_dir(pair, ssl_dir) + '/' + nginx_site_filename(pair) + '.crt'
 def nginx_all_site_names(site):
    all_sites = []
    if isinstance(site['name'], list):
        all_sites = all_sites + site['name']
    else:
        all_sites.append(site['name'])
    if 'redirect_from' in site:
        if isinstance(site['redirect_from'], list):
             all_sites = all_sites + site['redirect_from']
        else:
            all_sites.append(site['redirect_from'])
    return all_sites
 def nginx_search_by_ssl_name(sites, ssl_name):
    if isinstance(ssl_name, list):
        comp_ssl_name = ssl_name[0]
    else:
        comp_ssl_name = ssl_name
    res = None
    for site in sites:
        if 'ssl_name' in site and site['ssl_name'] == comp_ssl_name:
            res = site
            break
    return res
 class FilterModule(object):
    ''' Nginx module '''
    def filters(self):
        return {
            'nginx_site_filename': nginx_site_filename,
            'nginx_site_name': nginx_site_name,
            'nginx_ssl_dir': nginx_ssl_dir,
            'nginx_key_path': nginx_key_path,
            'nginx_cert_path': nginx_cert_path,
            'nginx_all_site_names': nginx_all_site_names,
            'nginx_search_by_ssl_name': nginx_search_by_ssl_name
        }
--- a/filter_plugins/php.py
+++ b/filter_plugins/php.py
@@ -0,0 +1,10 @@
 def php_default_upstream_socket(php_version):
    return '/run/php/php%s-fpm.sock' % php_version
 class FilterModule(object):
    ''' PHP module '''
    def filters(self):
        return {
            'php_default_upstream_socket': php_default_upstream_socket,
        }
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -1,13 +1,46 @@
 ---
 # Reload wrapper
 - name: reload nginx
-  command: nginx -t
+  ansible.builtin.command: nginx -t
-  notify: real-reload nginx
+  notify:
    - real-reload nginx
    - docker reload nginx
 - name: restart nginx
  ansible.builtin.command: nginx -t
  notify:
    - real-restart nginx
    - docker restart nginx
 - name: real-reload nginx
-  service: name=nginx state=reloaded
+  ansible.builtin.service:
    name: nginx
    state: reloaded
  when: ansible_virtualization_type != 'docker'
 - name: real-restart nginx
  ansible.builtin.service:
    name: nginx
    state: restarted
  when: ansible_virtualization_type != 'docker'
 - name: docker reload nginx
  ansible.builtin.command: service nginx reload
  args:
    warn: false
  when: ansible_virtualization_type == 'docker'
 - name: docker restart nginx
  ansible.builtin.command: service nginx restart
  args:
    warn: false
  when: ansible_virtualization_type == 'docker'
 - name: restart nginx freebsd
-  service: name=nginx state=restarted
+  ansible.builtin.service:
    name: nginx
    state: restarted
  when: ansible_distribution == "FreeBSD"
 - name: setup
  ansible.builtin.setup:
--- a/meta/main.yml
+++ b/meta/main.yml
@@ -1,19 +1,27 @@
 ---
 galaxy_info:
  author: Emilien Mantel
-  description: Nginx for Debian
+  namespace: hanxhx
  role_name: nginx
  description: Nginx for Debian / FreeBSD
  company:
  license: GPLv2
-  min_ansible_version: 2.0
+  min_ansible_version: 2.11
  platforms:
    - name: Debian
      versions:
-    - jessie
+        - stretch
        - buster
        - bullseye
    - name: FreeBSD
      versions:
-    - 10.2
+        - 11.0
        - 11.1
        - 12.0
  galaxy_tags:
    - web
    - debian
    - proxy
    - http
    - http2
@@ -23,4 +31,3 @@ galaxy_info:
    - nginx
    - cdn
 dependencies: []
--- a/tasks/config.yml
+++ b/tasks/config.yml
@@ -1,34 +1,57 @@
 ---
 - name: TEMPLATE | Deploy nginx.conf
-  template: >
+  ansible.builtin.template:
-    src=etc/nginx/nginx.conf.j2
+    src: "etc/nginx/nginx.conf.j2"
-    dest="{{ nginx_etc_dir }}/nginx.conf"
+    dest: "{{ nginx_etc_dir }}/nginx.conf"
    mode: 0644
    owner: root
    group: root
  notify: reload nginx
 - name: TEMPLATE | Deploy all helpers
-  template: >
+  ansible.builtin.template:
-    src={{ item }}
+    src: "{{ item }}"
-    dest={{ nginx_helper_dir }}/{{ item | basename | regex_replace('\.j2$','') }}
+    dest: "{{ nginx_helper_dir }}/{{ item | basename | regex_replace('.j2$','') }}"
    mode: 0644
    owner: root
    group: root
  with_fileglob: '../templates/etc/nginx/helper/*.j2'
  notify: reload nginx
 - name: TEMPLATE | Deploy custom http configuration
-  template: >
+  ansible.builtin.template:
-    src=etc/nginx/conf.d/custom.conf.j2
+    src: "etc/nginx/conf.d/custom.conf.j2"
-    dest="{{ nginx_etc_dir }}/conf.d/custom.conf"
+    dest: "{{ nginx_etc_dir }}/conf.d/custom.conf"
    mode: 0644
    owner: root
    group: root
  notify: reload nginx
 - name: LINEINFILE | Fix path
-  lineinfile: >
+  ansible.builtin.lineinfile:
-    regexp='{{ item.0.regexp }}'
+    regexp: '{{ item.0.regexp }}'
-    line='{{ item.0.line }}'
+    line: '{{ item.0.line }}'
-    dest='{{ item.1 }}'
+    dest: '{{ item.1 }}'
-  with_nested:
+  loop: "{{ list_one | product(list_two) | list }}"
-    -
+  vars:
    list_one:
      - regexp: '^fastcgi_param  SCRIPT_FILENAME'
        line: 'fastcgi_param  SCRIPT_FILENAME    $realpath_root$fastcgi_script_name;'
      - regexp: '^fastcgi_param  DOCUMENT_ROOT'
        line: 'fastcgi_param  DOCUMENT_ROOT      $realpath_root;'
-    - [ '/etc/nginx/fastcgi_params', '/etc/nginx/fastcgi.conf' ]
+    list_two:
      - '{{ nginx_etc_dir }}/fastcgi.conf'
  when: nginx_fastcgi_fix_realpath
 - name: COPY | Add modules manually
  ansible.builtin.copy:
    content: |
      {% for m in nginx_load_modules %}
      load_module {{ m }};
      {% endfor %}
    dest: "{{ nginx_etc_dir }}/modules-enabled/000-modules.conf"
    mode: 0644
    owner: root
    group: root
  notify: reload nginx
--- a/tasks/dyn_modules.yml
+++ b/tasks/dyn_modules.yml
@@ -1,16 +0,0 @@
 ---
 - name: FAIL | If Dynamic module is not available
  fail: msg="{{ item }} dynamic module is not available"
  with_items: "{{ nginx_dyn_modules }}"
  when: "'{{ item }}=dynamic' not in nginx_modules"
 - name: APT | Install nginx modules
  apt: >
    pkg="libnginx-mod-{{ item | replace('_', '-') }}"
    state=present
    default_release={{ ansible_distribution_release + '-backports' if nginx_backports else ansible_distribution_release }}
  with_items: "{{ nginx_dyn_modules }}"
  when:  ansible_distribution == 'Debian'
 # TODO: manage freebsd
--- a/tasks/htpasswd.yml
+++ b/tasks/htpasswd.yml
@@ -1,20 +1,21 @@
 ---
 - name: FILE | Delete htpasswd file
-  file: >
+  ansible.builtin.file:
-    path={{ nginx_htpasswd_dir }}/{{ item.name }}
+    path: "{{ nginx_htpasswd_dir }}/{{ item.name }}"
-    state=absent
+    state: absent
-  with_items: "{{ nginx_htpasswd }}"
+  loop: "{{ nginx_htpasswd }}"
  when: item.state is defined and item.state == 'absent'
  no_log: "{{ not nginx_debug_role }}"
 - name: HTPASSWD | Manage files
-  htpasswd: >
+  ansible.builtin.htpasswd:
-    name={{ item.1.name }}
+    name: "{{ item.1.name }}"
-    password={{ item.1.password }}
+    password: "{{ item.1.password }}"
-    state={{ item.1.state | default('present') }}
+    path: "{{ nginx_htpasswd_dir }}/{{ item.0.name }}"
-    path={{ nginx_htpasswd_dir }}/{{ item.0.name }}
+    mode: 0644
-  with_subelements:
+    owner: root
-    - "{{ nginx_htpasswd }}"
+    group: root
-    - users
+  loop: "{{ nginx_htpasswd | subelements('users') }}"
  when: item.0.state is not defined or item.0.state == 'present'
-  no_log: true
+  no_log: "{{ not nginx_debug_role }}"
--- a/tasks/install_Debian.yml
+++ b/tasks/install_Debian.yml
@@ -1,23 +1,53 @@
 ---
 - name: SET_FACT | Bypass https://github.com/ansible/ansible/issues/19874
  ansible.builtin.set_fact:
    ansible_distribution_release: 'buster'
  when: ansible_facts.distribution_major_version == "buster/sid"
 - name: APT | Update cache
-  apt: >
+  ansible.builtin.apt:
-    update_cache=yes
+    update_cache: true
-    cache_valid_time=3600
+    cache_valid_time: 3600
  changed_when: false
 - name: APT | Force OpenSSL from backports (fix dependency break)
  apt: >
    pkg=openssl
    state=latest
    default_release={{ ansible_distribution_release + '-backports' }}
  when: nginx_backports
 - name: APT | Install nginx and dependencies
-  apt: >
+  ansible.builtin.apt:
-    pkg={{ nginx_apt_package }}
+    pkg: "{{ nginx_apt_package }}"
-    state=present
+    default_release: "{{ ansible_distribution_release + '-backports' if nginx_backports else ansible_distribution_release }}"
-    default_release={{ ansible_distribution_release + '-backports' if nginx_backports else ansible_distribution_release }}
+
 - name: APT | Install nginx modules
  ansible.builtin.apt:
    pkg: "{{ nginx_module_packages }}"
    state: present
 - name: APT | Install python-passlib
-  apt: pkg=python-passlib state=present
+  ansible.builtin.apt:
    pkg: "python{% if ansible_python_version is version('3', '>=') %}3{% endif %}-passlib"
    state: present
 - name: STAT | Check acme.sh is installed
  ansible.builtin.stat:
    path: "{{ nginx_acmesh_dir }}"
  register: acme
 - block:
    - name: APT | Install git
      ansible.builtin.apt:
        pkg: git
    - name: GIT | Get acme.sh
      ansible.builtin.git:
        repo: 'https://github.com/Neilpang/acme.sh.git'
        dest: '{{ nginx_acmesh_git_dir }}'
        update: false
        version: master
    - name: COMMAND | Install acme.sh
      ansible.builtin.command: ./acme.sh --install --home "{{ nginx_acmesh_dir }}"
      args:
        chdir: "{{ nginx_acmesh_git_dir }}"
        creates: "{{ nginx_acmesh_dir }}"
  when: not acme.stat.exists
--- a/tasks/install_FreeBSD.yml
+++ b/tasks/install_FreeBSD.yml
@@ -1,46 +1,62 @@
 ---
 - name: PKGNG | Install nginx and related tools
-  pkgng: name={{ item }} state=present
+  pkgng:
-  with_items:
+    name: "{{ item }}"
    state: present
  loop:
    - acme.sh
    - "{{ nginx_pkgng_package }}"
    - py27-passlib
    - curl
 #
 # Bypass https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=224166#c1
 #
 - block:
    - name: COMMAND | Create /usr/local/etc/fdfs/http.conf
      ansible.builtin.command: touch /usr/local/etc/fdfs/http.conf
      args:
        creates: /usr/local/etc/fdfs/http.conf
      register: fd1
    - name: LINEINFILE | Tune fdfs
      ansible.builtin.lineinansible.builtin.file:
        regexp: ^load_fdfs_parameters_from_tracker
        line: load_fdfs_parameters_from_tracker=false
        path: /usr/local/etc/fdfs/mod_fastdfs.conf
      register: fd2
    - name: SERVICE | Restart nginx when fdfs is tuned
      ansible.builtin.service:
        name: nginx
        state: restarted
      when: fd1.changed or fd2.changed
  when: true
 - name: FILE | Create configuration dir (like Debian)
-  file: path="{{ nginx_etc_dir }}/{{ item }}" state=directory
+  ansible.builtin.file:
-  with_items:
+    path: "{{ nginx_etc_dir }}/{{ item }}"
    state: directory
    mode: 0755
    owner: root
    group: root
  loop:
    - conf.d
    - sites-available
    - sites-enabled
 - name: STAT | Check fastcgi.conf
  stat: path={{ nginx_etc_dir }}/fastcgi.conf
  register: conf
 - name: COPY | config
  command: "cp {{ nginx_etc_dir }}/fastcgi_params {{ nginx_etc_dir }}/fastcgi.conf"
  when: not conf.stat.exists
  notify: reload nginx
 - name: LINEINFILE | Add fastcgi config
  lineinfile: >
    line="fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;"
    dest="{{ nginx_etc_dir }}/fastcgi.conf"
  notify: reload nginx
 - name: COPY | Populate proxy_params
  copy: >
    content="proxy_set_header Host $http_host;\nproxy_set_header X-Real-IP $remote_addr;\nproxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Forwarded-Proto $scheme;"
    dest="{{ nginx_etc_dir }}/proxy_params"
 - name: FILE | Create log directory
-  file: >
+  ansible.builtin.file:
-    path={{ nginx_log_dir }}
+    path: "{{ nginx_log_dir }}"
-    owner={{ nginx_user }}
+    owner: "{{ nginx_user }}"
-    group=wheel
+    group: wheel
-    mode=0755
+    mode: 0755
-    state=directory
+    state: directory
 - name: SERVICE | Enable nginx
-  service: name=nginx enabled=yes
+  ansible.builtin.service:
    name: nginx
    enabled: true
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,30 +1,30 @@
 ---
 - name: INCLUDE_VARS | Related to OS
-  include_vars: "{{ ansible_distribution }}.yml"
+  ansible.builtin.include_vars: "{{ ansible_distribution }}.yml"
  tags: ['nginx::site', 'nginx::ssl']
- name: INCLUDE | Install
+- name: INCLUDE_TASKS | Install
-  include: install_{{ ansible_distribution }}.yml
+  ansible.builtin.include_tasks: "install_{{ ansible_distribution }}.yml"
  tags: ['nginx::site', 'nginx::ssl']
- name: INCLUDE | Prepare
+- name: IMPORT_TASKS| Prepare
-  include: prepare.yml
+  ansible.builtin.import_tasks: prepare.yml
  tags: ['nginx::site', 'nginx::ssl']
- name: INCLUDE | Manage dynamic modules
+- name: IMPORT_TASKS| Install
-  include: dyn_modules.yml
+  ansible.builtin.import_tasks: config.yml
  when: nginx_version.stdout | version_compare('1.9.11', 'ge')
- name: INCLUDE | Install
+- name: IMPORT_TASKS| Upstream configuration
-  include: config.yml
+  ansible.builtin.import_tasks: upstream.yml
- name: INCLUDE | Upstream configuration
+- name: IMPORT_TASKS| htpasswd configuration
-  include: upstream.yml
+  ansible.builtin.import_tasks: htpasswd.yml
- name: INCLUDE | htpasswd configuration
+- name: IMPORT_TASKS| SSL configuration
-  include: htpasswd.yml
+  ansible.builtin.import_tasks: ssl/main.yml
-
+  tags: ['nginx::ssl']
 - name: INCLUDE | SSL configuration
  include: ssl.yml
 - name: INCLUDE | Vhosts configuration
  include: vhost.yml
 - name: IMPORT_TASKS| Sites configuration
  ansible.builtin.import_tasks: site.yml
  tags: ['nginx::site']
--- a/tasks/prepare.yml
+++ b/tasks/prepare.yml
@@ -1,26 +1,47 @@
 ---
 - name: SHELL | Get Nginx version
-  shell: nginx -v 2>&1 | sed -r 's#.*/##;' | cut -d ' ' -f 1
+  ansible.builtin.shell: nginx -v 2>&1 | sed -r 's#.*/##;' | cut -d ' ' -f 1
  args:
    executable: /bin/sh
  register: nginx_version
  changed_when: false
  check_mode: false
  tags:
    - skip_ansible_lint
 - name: SHELL | Get module list
-  shell: nginx -V 2>&1 | tr -- - '\n' | grep -A 1 with | grep _module | sed -r 's/_module//g; s/\s+//g' | sort
+  ansible.builtin.shell: |
    nginx -V 2>&1 |
    tr -- - '\n' |
    grep -A 1 with |
    grep _module |
    sed -r 's/_module//g; s/\s+//g' |
    sort
  args:
    executable: /bin/sh
  register: shell_modules
  changed_when: false
  check_mode: false
  tags:
    - skip_ansible_lint
 - name: SET_FACT | Save modules
-  set_fact:
+  ansible.builtin.set_fact:
    nginx_modules: "{{ shell_modules.stdout_lines }}"
 - name: FILE | Create folders
-  file: dest="{{ item.dir }}" owner="{{ item.owner }}" mode="{{ item.mode }}" state=directory
+  ansible.builtin.file:
-  with_items: "{{ nginx_dirs }}"
+    dest: "{{ item.dir }}"
    owner: "{{ item.owner }}"
    mode: "{{ item.mode }}"
    state: directory
  loop: "{{ nginx_dirs }}"
 - name: FILE | Create ansible facts dir
-  file: path=/etc/ansible/facts.d state=directory
+  ansible.builtin.file:
    path: /etc/ansible/facts.d
    state: directory
    mode: 0755
    owner: root
    group: root
--- a/tasks/site.yml
+++ b/tasks/site.yml
@@ -0,0 +1,125 @@
 ---
 - name: FAIL | Check filenames
  ansible.builtin.fail:
    msg: "Forbidden keyword default on site {{ item | nginx_site_name }}"
  when: item.filename is defined and item.filename == 'default'
  loop: "{{ nginx_sites }}"
  loop_control:
    label: "{{ item | nginx_site_name }}"
 - name: FAIL | Check HTTPS redir and proto
  ansible.builtin.fail:
    msg: "You can't have HTTP proto and HTTPS redirection at the same time"
  when:
    ((item.proto is defined and 'http' in item.proto) or (item.proto is not defined)) and
    (item.redirect_http is defined and item.redirect_http)
  loop: "{{ nginx_sites }}"
  loop_control:
    label: "{{ item | nginx_site_name }}"
 - name: FILE | Create root directory
  ansible.builtin.file:
    path: "{{ nginx_root }}"
    state: directory
    mode: 0755
    owner: root
    group: root
 - name: FILE | Create root public folders (foreach nginx_sites)
  ansible.builtin.file:
    path: "{{ nginx_root }}/{{ item | nginx_site_filename }}/public"
    state: directory
    owner: "{{ item.owner | default(nginx_user) }}"
    group: "{{ item.group | default(nginx_user) }}"
    mode: "{{ item.mode | default('0755') }}"
  loop: "{{ nginx_sites }}"
  when: >
    item.root is not defined and
    (item.template is defined and item.template not in nginx_templates_no_dir) and
    (item.state is not defined or not item.state != 'absent') and
    item.redirect_to is not defined
  loop_control:
    label: "{{ item | nginx_site_name }}"
 - name: TEMPLATE | Create sites
  ansible.builtin.template:
    src: "etc/nginx/sites-available/{{ item.template if item.redirect_to is not defined else '_redirect' }}.j2"
    dest: "{{ nginx_etc_dir }}/sites-available/{{ item | nginx_site_filename }}"
    mode: 0644
    owner: root
    group: root
  notify: ['reload nginx', 'restart nginx freebsd']
  when: (item.state is not defined or item.state != 'absent') and item.custom_template is not defined
  loop: "{{ nginx_sites }}"
  loop_control:
    label: "{{ item | nginx_site_name }}"
 - name: TEMPLATE | Create sites with preconfigured template
  ansible.builtin.template:
    src: "{{ item.custom_template }}"
    dest: "{{ nginx_etc_dir }}/sites-available/{{ item | nginx_site_filename }}"
    mode: 0644
    owner: root
    group: root
  notify: ['reload nginx', 'restart nginx freebsd']
  when: (item.state is not defined or item.state != 'absent') and item.custom_template is defined
  loop: "{{ nginx_sites }}"
  loop_control:
    label: "{{ item | nginx_site_name }}"
 - name: FILE | Delete sites
  ansible.builtin.file:
    path: "{{ nginx_etc_dir }}/{{ item.1 }}/{{ item.0 | nginx_site_filename }}"
    state: absent
  loop: "{{ nginx_sites | product(dirs) | list }}"
  notify: ['reload nginx', 'restart nginx freebsd']
  when: item.0.state is defined and item.0.state == 'absent'
  vars:
    dirs: ['sites-available', 'sites-enabled']
  loop_control:
    label: "{{ nginx_etc_dir }}/{{ item.1 }}/{{ item.0 | nginx_site_filename }}"
 - name: FILE | Enable sites
  ansible.builtin.file:
    src: "{{ nginx_etc_dir }}/sites-available/{{ item | nginx_site_filename }}"
    dest: "{{ nginx_etc_dir }}/sites-enabled/{{ item | nginx_site_filename }}"
    state: link
  loop: "{{ nginx_sites }}"
  notify: ['reload nginx', 'restart nginx freebsd']
  when: >
    item.state is not defined or item.state == 'present'
  loop_control:
    label: "{{ item | nginx_site_name }}"
 - name: FILE | Disable sites
  ansible.builtin.file:
    path: "{{ nginx_etc_dir }}/sites-enabled/{{ item | nginx_site_filename }}"
    state: absent
  loop: "{{ nginx_sites }}"
  notify: ['reload nginx', 'restart nginx freebsd']
  when: item.state is defined and item.state == 'disabled'
  loop_control:
    label: "{{ item | nginx_site_name }}"
 - name: FILE | Delete default site when explicitely defined
  ansible.builtin.file:
    path: "{{ nginx_etc_dir }}/sites-enabled/default"
    state: absent
  notify: ['reload nginx', 'restart nginx freebsd']
  when: nginx_default_site is not none
 - name: FILE | Auto set default site
  ansible.builtin.file:
    src: "{{ nginx_etc_dir }}/sites-available/default"
    dest: "{{ nginx_etc_dir }}/sites-enabled/default"
    state: link
  notify: ['reload nginx', 'restart nginx freebsd']
  when: nginx_default_site is none
 - name: TEMPLATE | Deploy facts
  ansible.builtin.template:
    src: etc/ansible/facts.d/nginx.fact.j2
    dest: /etc/ansible/facts.d/nginx.fact
    mode: 0644
  notify: ['setup']
--- a/tasks/ssl.yml
+++ b/tasks/ssl.yml
@@ -1,52 +0,0 @@
 ---
 - name: COMMAND | Generate DH file
  command: openssl dhparam -out {{ nginx_dh_path }} {{ nginx_dh_length }}
  args:
    creates: "{{ nginx_dh_path }}"
  when: nginx_dh is not string
  notify: reload nginx
  async: 1000
  register: dh
 - name: COPY | Deploy DH file from vars
  copy: >
    content="{{ nginx_dh }}"
    dest="{{ nginx_dh_path }}"
  when: nginx_dh is string
  notify: reload nginx
 - name: FILE | Create SSL directories
  file: >
    path="{{ nginx_ssl_dir + '/' + item.name }}"
    state=directory
  with_items: "{{ nginx_ssl_pairs }}"
  when: item.dest_key is not defined or item.dest_cert is not defined
  no_log: true
 - name: COPY | Deploy SSL keys
  copy: >
    content="{{ item.key }}"
    dest="{{ nginx_ssl_dir + '/' + item.name + '/' + item.name + '.key' if item.dest_key is not defined else item.dest_key }}"
    mode=0640
  with_items: "{{ nginx_ssl_pairs }}"
  when: item.key is defined
  notify: reload nginx
  no_log: true
 - name: COPY | Deploy SSL certs
  copy: >
    content="{{ item.cert }}"
    dest="{{ nginx_ssl_dir + '/' + item.name + '/' + item.name + '.crt' if item.dest_cert is not defined else item.dest_cert }}"
    mode=0644
  with_items: "{{ nginx_ssl_pairs }}"
  when: item.cert is defined
  notify: reload nginx
  no_log: true
 - name: Check DH command status
  async_status: jid={{ dh.ansible_job_id }}
  register: job_result
  until: job_result.finished
  retries: 30
  when: nginx_dh is not string
--- a/tasks/ssl/acme.yml
+++ b/tasks/ssl/acme.yml
@@ -0,0 +1,101 @@
 ---
 - name: SET_FACT | Assign default...
  ansible.builtin.set_fact:
    acme_create: []
 - name: STAT | Check if certificates are already installed
  ansible.builtin.stat:
    path: "{{ item | nginx_cert_path(nginx_ssl_dir) }}"
  loop: "{{ nginx_ssl_pairs }}"
  when: item.acme is defined and item.acme
  register: acme_installed_certs
 - name: SET_FACT | Assign var with certificates to create
  ansible.builtin.set_fact:
    acme_create: "{{ acme_create | default([]) + [ (item.item) ] }}"
  loop: "{{ acme_installed_certs.results }}"
  when: item.skipped is not defined and (not item.stat.exists or item.stat.size == 0)
 - name: BLOCK | Start acme
  block:
    - name: TEMPLATE | Create fake site
      ansible.builtin.template:
        src: "etc/nginx/conf.d/FAKESITE.conf.j2"
        dest: "{{ nginx_etc_dir }}/conf.d/FAKESITE_{{ item | nginx_site_name }}.conf"
        mode: 0644
        owner: root
        group: root
      loop: "{{ acme_create }}"
      register: fake_site
    - name: FILE | Delete current site if needed
      ansible.builtin.file:
        path: "{{ nginx_etc_dir }}/sites-enabled/{{ item | nginx_site_name }}"
        state: absent
      loop: "{{ acme_create }}"
      when: fake_site.changed
    - name: SERVICE | Restart nginx
      ansible.builtin.service:
        name: nginx
        state: restarted
      when: fake_site.changed and ansible_virtualization_type != 'docker'
    - name: COMMAND | Restart nginx
      ansible.builtin.command: service nginx restart
      args:
        warn: false
      when: fake_site.changed and ansible_virtualization_type == 'docker'
    - name: COMMAND | Get certificates
      ansible.builtin.command: |
        {{ nginx_acmesh_bin }}
          --home {{ nginx_acmesh_dir }}
          --issue{% for s in nginx_sites | nginx_search_by_ssl_name(item.name) | nginx_all_site_names %} -d {{ s }}{% endfor %}
          --nginx
          {% if nginx_acmesh_test %}--test --log{% endif %}
      args:
        creates: "{{ nginx_acmesh_dir }}/{{ item | nginx_site_name }}/fullchain.cer"
      loop: "{{ acme_create }}"
      register: acme_get
      failed_when: acme_get.rc != 0 and acme_get.rc != 2
      no_log: "{{ not nginx_debug_role }}"
    - name: FILE | Create SSL dir per site
      ansible.builtin.file:
        path: "{{ nginx_ssl_dir }}/{{ item | nginx_site_name }}"
      loop: "{{ acme_create }}"
    - name: COMMAND | Install certificates
      ansible.builtin.command: |
        {{ nginx_acmesh_bin }}
          --home {{ nginx_acmesh_dir }}
          --install-cert -d {{ nginx_sites | nginx_search_by_ssl_name(item | nginx_site_name) | nginx_site_name }}
          --fullchain-file {{ item | nginx_cert_path(nginx_ssl_dir) }}
          --key-file {{ item | nginx_key_path(nginx_ssl_dir) }}
          --reloadcmd "service nginx reload"
      args:
        creates: "{{ item | nginx_cert_path(nginx_ssl_dir) }}"
      loop: "{{ nginx_ssl_pairs }}"
      when: item.acme is defined and item.acme
      notify: restart nginx
  rescue:
    - name: FAIL | Explicit
      ansible.builtin.fail:
        msg: "Something is bad... Auto crash!"
  always:
    - name: FILE | Delete fake sites
      ansible.builtin.file:
        path: "{{ nginx_etc_dir }}/conf.d/FAKESITE_{{ item | nginx_site_name }}.conf"
        state: absent
      loop: "{{ acme_create }}"
      notify: restart nginx
    - name: META | Flush handlers
      ansible.builtin.meta: flush_handlers
--- a/tasks/ssl/main.yml
+++ b/tasks/ssl/main.yml
@@ -0,0 +1,8 @@
 ---
 - name: IMPORT_TASKS | standard.yml
  import_tasks: standard.yml
 - name: IMPORT_TASKS | acme.yml
  import_tasks: acme.yml
  when: nginx_acmesh
--- a/tasks/ssl/standard.yml
+++ b/tasks/ssl/standard.yml
@@ -0,0 +1,82 @@
 ---
 - block:
  - name: STAT | Get info about DH file
    ansible.builtin.stat:
      path: "{{ nginx_dh_path }}"
      get_checksum: false
    register: stat_dh_file
  - name: SHELL | Get info about DH file
    ansible.builtin.shell: openssl dhparam -in {{ nginx_dh_path }} -text -noout 2>&1 | awk '/DH Parameters/ { print substr($3, 2) }'
    changed_when: false
    register: dh_info
    when: stat_dh_file.stat.exists
  - name: COMMAND | Generate DH file
    ansible.builtin.command: openssl dhparam -out {{ nginx_dh_path }} {{ nginx_dh_length }}
    when: not stat_dh_file.stat.exists or (dh_info.stdout | int != nginx_dh_length | int)
    notify: restart nginx
  when: nginx_dh is not string
 - name: COPY | Deploy DH file from vars
  ansible.builtin.copy:
    content: "{{ nginx_dh }}"
    dest: "{{ nginx_dh_path }}"
    owner: root
    group: root
    mode: 0640
  when: nginx_dh is string
  notify: restart nginx
 - name: FILE | Create SSL directories
  ansible.builtin.file:
    path: "{{ item | nginx_ssl_dir(nginx_ssl_dir) }}"
    state: directory
    owner: root
    group: root
    mode: 0750
  loop: "{{ nginx_ssl_pairs }}"
  when: item.dest_key is not defined or item.dest_cert is not defined
  no_log: "{{ not nginx_debug_role }}"
 - name: COPY | Deploy SSL keys
  ansible.builtin.copy:
    content: "{{ item.key }}"
    dest: "{{ item | nginx_key_path(nginx_ssl_dir) }}"
    owner: root
    group: root
    mode: 0640
  loop: "{{ nginx_ssl_pairs }}"
  when: item.key is defined
  notify: restart nginx
  no_log: "{{ not nginx_debug_role }}"
 - name: COPY | Deploy SSL certs
  ansible.builtin.copy:
    content: "{{ item.cert }}"
    dest: "{{ item | nginx_cert_path(nginx_ssl_dir) }}"
    owner: root
    group: root
    mode: 0644
  loop: "{{ nginx_ssl_pairs }}"
  when: item.cert is defined
  notify: restart nginx
  no_log: "{{ not nginx_debug_role }}"
 - name: COMMAND | Create self-signed certificates
  ansible.builtin.command: |
    openssl req
      -new -newkey rsa:2048 -sha256 -days 3650 -nodes -x509
      -subj '/CN={{ item | nginx_site_name }}'
      -keyout {{ item | nginx_key_path(nginx_ssl_dir) }}
      -out {{ item | nginx_cert_path(nginx_ssl_dir) }}
  args:
    chdir: "{{ item | nginx_ssl_dir(nginx_ssl_dir) }}"
    creates: "{{ '/tmp/dummy' if item.force is defined and item.force else item | nginx_cert_path(nginx_ssl_dir) }}"
  loop: "{{ nginx_ssl_pairs }}"
  when: item.self_signed is defined
  notify: restart nginx
  no_log: "{{ not nginx_debug_role }}"
--- a/tasks/upstream.yml
+++ b/tasks/upstream.yml
@@ -1,29 +1,29 @@
 ---
 - name: SET_FACT | Backward compatibility with old version of this role
  set_fact: >
    nginx_php56: true
  when: nginx_php is defined and nginx_php
 - name: TEMPLATE | Deploy PHP upstream to Nginx
-  template: >
+  ansible.builtin.template:
-    src=etc/nginx/upstream/php.conf.j2
+    src: "etc/nginx/conf.d/php.conf.j2"
-    dest="{{ nginx_etc_dir }}/conf.d/php.conf"
+    dest: "{{ nginx_etc_dir }}/conf.d/php.conf"
-  when: nginx_php56 or nginx_php70
+    mode: 0644
    owner: root
    group: root
  notify: reload nginx
 - name: TEMPLATE | Deploy other upstreams
-  template: >
+  ansible.builtin.template:
-    src=etc/nginx/upstream/upstream.conf.j2
+    src: "etc/nginx/conf.d/_upstream.conf.j2"
-    dest={{ nginx_etc_dir }}/conf.d/upstream-{{ item.name }}.conf
+    dest: "{{ nginx_etc_dir }}/conf.d/upstream-{{ item.name }}.conf"
-  with_items: "{{ nginx_upstreams }}"
+    mode: 0644
    owner: root
    group: root
  loop: "{{ nginx_upstreams }}"
  when: item.state is not defined or item.state == 'present'
  notify: reload nginx
 - name: FILE | Delete other upstreams
-  file: >
+  ansible.builtin.file:
-    path={{ nginx_etc_dir }}/conf.d/upstream-{{ item.name }}.conf
+    path: "{{ nginx_etc_dir }}/conf.d/upstream-{{ item.name }}.conf"
-    state=absent
+    state: absent
-  with_items: "{{ nginx_upstreams }}"
+  loop: "{{ nginx_upstreams }}"
  when: item.state is defined and item.state == 'absent'
  notify: reload nginx
--- a/tasks/vhost.yml
+++ b/tasks/vhost.yml
@@ -1,90 +0,0 @@
 ---
 - name: FAIL | Check filenames
  fail: msg="Forbidden keyword default on vhost {{ item.name if item.name is string else item.name[0] }}"
  when: item.filename is defined and item.filename == 'default'
  with_items: "{{ nginx_vhosts }}"
 - name: FAIL | Check HTTPS redir and proto
  fail: msg="You can't have HTTP proto and HTTPS redirection at the same time"
  when: >
    ((item.proto is defined and 'http' in item.proto) or (item.proto is not defined)) and
    (item.redirect_http is defined and item.redirect_http)
  with_items: "{{ nginx_vhosts }}"
 - name: FILE | Create root directory
  file: >
    path={{ nginx_root }}
    state=directory
 - name: FILE | Create root public folders (foreach nginx_vhosts)
  file: >
    path={{ nginx_root }}/{{ item.filename | default(item.name if item.name is string else item.name[0]) }}/public
    state=directory
    owner={{ item.owner | default(nginx_user) }}
    group={{ item.group | default(nginx_user) }}
    mode={{ item.mode | default('0755') }}
  with_items: "{{ nginx_vhosts }}"
  when: >
    item.root is not defined and
    (item.template is defined and item.template not in nginx_templates_no_dir) and
    (item.state is not defined or not item.state != 'absent') and
    item.redirect_to is not defined
 - name: TEMPLATE | Create vhosts
  template: >
    src=etc/nginx/sites-available/{{ item.template if item.redirect_to is not defined else '_redirect' }}.j2
    dest={{ nginx_etc_dir }}/sites-available/{{ item.filename | default(item.name if item.name is string else item.name[0]) }}
  with_items: "{{ nginx_vhosts }}"
  notify: ['reload nginx', 'restart nginx freebsd']
  when: item.state is not defined or item.state != 'absent'
 - name: FILE | Delete vhosts
  file: path={{ nginx_etc_dir }}/{{ item.1 }}/{{ item.0.filename | default(item.0.name if item.0.name is string else item.0.name[0]) }} state=absent
  with_nested:
    - "{{ nginx_vhosts }}"
    - ['sites-available', 'sites-enabled']
  notify: ['reload nginx', 'restart nginx freebsd']
  when: item.state is defined and item.state == 'absent'
 - name: FILE | Enable vhosts
  file: >
    src={{ nginx_etc_dir }}/sites-available/{{ item.filename | default(item.name if item.name is string else item.name[0]) }}
    dest={{ nginx_etc_dir }}/sites-enabled/{{ item.filename | default(item.name if item.name is string else item.name[0]) }}
    state=link
  with_items: "{{ nginx_vhosts }}"
  notify: ['reload nginx', 'restart nginx freebsd']
  when: >
    item.state is not defined or item.state == 'present'
 - name: FILE | Disable vhosts
  file: path={{ nginx_etc_dir}}/sites-enabled/{{ item.filename | default(item.name if item.name is string else item.name[0]) }} state=absent
  with_items: "{{ nginx_vhosts }}"
  notify: ['reload nginx', 'restart nginx freebsd']
  when: item.state is defined and item.state == 'disabled'
 - name: FILE | Delete default vhost when explicitely defined
  file: >
    path={{ nginx_etc_dir }}/sites-enabled/default
    state=absent
  notify: ['reload nginx', 'restart nginx freebsd']
  when: nginx_default_vhost is not none
 - name: FILE | Auto set default vhost
  file: >
    src={{ nginx_etc_dir }}/sites-available/default
    dest={{ nginx_etc_dir }}/sites-enabled/default
    state=link
  notify: ['reload nginx', 'restart nginx freebsd']
  when: nginx_default_vhost is none
 - name: TEMPLATE | Deploy facts
  template:
    src=etc/ansible/facts.d/nginx.fact.j2
    dest=/etc/ansible/facts.d/nginx.fact
    mode=0644
  register: fact
 - name: SETUP
  action: setup
  when: fact.changed
--- a/templates/etc/ansible/facts.d/nginx.fact.j2
+++ b/templates/etc/ansible/facts.d/nginx.fact.j2
@@ -1,4 +1,4 @@
 {
-       "fact_nginx_vhosts":
+       "fact_nginx_sites":
-       {{ nginx_vhosts | to_nice_json(indent=8) }}
+       {{ nginx_sites | to_nice_json(indent=8) }}
 }
--- a/templates/etc/nginx/conf.d/FAKESITE.conf.j2
+++ b/templates/etc/nginx/conf.d/FAKESITE.conf.j2
@@ -0,0 +1,18 @@
 {% set site = nginx_sites | nginx_search_by_ssl_name(item.name) %}
 {% set __listen = item.listen | default(nginx_default_listen) %}
 {% set __listen_proxy_protocol = item.listen_proxy_protocol | default(nginx_default_listen_proxy_protocol) %}
 server {
 {% for port in __listen %}
 	listen {{ port }};
 {% endfor %}
 {% for port in __listen_proxy_protocol %}
 	listen {{ port }} proxy_protocol;
 {% endfor %}
 	server_name {{ site | nginx_all_site_names | join(" ") }};
 	location / {
 		return 503;
 	}
 }
--- a/templates/etc/nginx/upstream/upstream.conf.j2
+++ b/templates/etc/nginx/upstream/upstream.conf.j2
@@ -1,5 +1,5 @@
 {%- macro s(key, value, is_bool, min_version) %}
-{% if nginx_version.stdout | version_compare(min_version, 'ge') %}
+{% if nginx_version.stdout is version(min_version, 'ge') %}
 {% if is_bool and value %} {{ key }}{% elif not is_bool %} {{ key }}={{ value }}{% endif %}
 {% endif %}
 {%- endmacro -%}
--- a/templates/etc/nginx/conf.d/php.conf.j2
+++ b/templates/etc/nginx/conf.d/php.conf.j2
@@ -0,0 +1,29 @@
 #
 # {{ ansible_managed }}
 #
 {% for php in nginx_php %}
 upstream {{ php.upstream_name }} {
 {% for sock in php.sockets | default([]) %}
 {% if sock.host is defined %}
    server {{ sock.host }}:{{ sock.port }} weight={{ sock.weight | default('1') }} max_fails={{ sock.max_fails | default('5') }} fail_timeout={{ sock.fail_timeout | default('10s') }};
 {% else %}
    server unix:{{ sock.unix }} weight={{ sock.weight | default('1') }};
 {% endif %}
 {% endfor %}
 }
 {% endfor %}
 {% if ansible_local.hanxhx_php.fpm_pool is defined%}
 # -------------------------------------------------------
 # Auto-detected PHP config for HanXHX.php ansible role
 # -------------------------------------------------------
 {% for php in ansible_local.hanxhx_php.fpm_pool %}
 upstream {{ php.name }} {
 	server {% if php.listen.startswith('/') %}unix:{{ php.listen }}{% else %}{{ php.listen }}{% endif %};
 }
 {% endfor %}
 {% endif %}
 # vim:filetype=nginx
--- a/templates/etc/nginx/helper/ssl-legacy.j2
+++ b/templates/etc/nginx/helper/ssl-legacy.j2
@@ -3,14 +3,12 @@
 #
 ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
-ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_protocols TLSv1.1 TLSv1.2{% if nginx_version.stdout is version('1.13.0', 'ge') %} TLSv1.3{% endif %};
 ssl_prefer_server_ciphers on;
 ssl_session_cache shared:SSL:10m;
-add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"{% if nginx_version.stdout | version_compare('1.7.5', 'ge') %} always{% endif %};
+ssl_session_tickets off;
 {% if nginx_version.stdout | version_compare('1.3.7', 'ge') %}
 ssl_stapling on;
 ssl_stapling_verify on;
 {% endif %}
 resolver {{ nginx_resolver_hosts | join(' ') }} valid={{ nginx_resolver_valid }};
 resolver_timeout {{ nginx_resolver_timeout }};
 ssl_dhparam {{ nginx_dh_path }};
--- a/templates/etc/nginx/helper/ssl-strong.j2
+++ b/templates/etc/nginx/helper/ssl-strong.j2
@@ -2,15 +2,15 @@
 # {{ ansible_managed }}
 #
-ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384";
-ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_protocols TLSv1.2{% if nginx_version.stdout is version('1.13.0', 'ge') %} TLSv1.3{% endif %};
 ssl_prefer_server_ciphers on;
 ssl_ecdh_curve secp384r1;
 ssl_session_timeout 10m;
 ssl_session_cache shared:SSL:10m;
-add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"{% if nginx_version.stdout | version_compare('1.7.5', 'ge') %} always{% endif %};
+ssl_session_tickets off;
 {% if nginx_version.stdout | version_compare('1.3.7', 'ge') %}
 ssl_stapling on;
 ssl_stapling_verify on;
 {% endif %}
 resolver {{ nginx_resolver_hosts | join(' ') }} valid={{ nginx_resolver_valid }};
 resolver_timeout {{ nginx_resolver_timeout }};
 ssl_dhparam {{ nginx_dh_path }};
--- a/templates/etc/nginx/nginx.conf.j2
+++ b/templates/etc/nginx/nginx.conf.j2
@@ -5,11 +5,7 @@
 user {{ nginx_user }};
 worker_processes {{ nginx_worker_processes }};
 pid {{ nginx_pid }};
-{% if nginx_version.stdout | version_compare('1.9.11', 'ge') %}
+include {{ nginx_etc_dir }}/modules-enabled/*.conf;
 {% for module in nginx_dyn_modules -%}
 load_module "modules/ngx_{{ module }}_module.so";
 {% endfor %}
 {% endif %}
 events {
 	worker_connections {{ nginx_events_worker_connections }};
--- a/templates/etc/nginx/sites-available/_backuppc.j2
+++ b/templates/etc/nginx/sites-available/_backuppc.j2
@@ -1,33 +0,0 @@
 {% extends "_base.j2" %}
 {% block root %}
 	root /usr/share/backuppc/cgi-bin;
 {% endblock %}
 {% block template_try_files %}
 {% endblock %}
 {% block template_index %}
 	index index.cgi;
 {% endblock %}
 {% block template_local_content %}
 	location ~ /\.ht {
 		deny all;
 	}
 	location /backuppc/image {
 		alias /usr/share/backuppc/image;
 		expires 60d;
 	}
 {% endblock %}
 {% block template_upstream_location %}
 	location ~ \.cgi$ {
 		gzip off;
 		include {{ nginx_etc_dir }}/fastcgi_params;
 		fastcgi_pass unix:/var/run/fcgiwrap.socket;
 		fastcgi_index BackupPC_Admin;
 		fastcgi_param SCRIPT_FILENAME /usr/share/backuppc/cgi-bin$fastcgi_script_name;
 	}
 {% endblock %}
--- a/templates/etc/nginx/sites-available/_base.j2
+++ b/templates/etc/nginx/sites-available/_base.j2
@@ -1,13 +1,39 @@
 {% set __proto = item.proto | default(['http']) %}
-{% set __main_name =  item.filename | default(item.name if item.name is string else item.name[0]) %}
+{% set __main_name =  item | nginx_site_name %}
-{% set __listen = item.listen | default([80]) %}
+{% set __listen = item.listen | default(nginx_default_listen) %}
-{% set __listen_ssl = item.listen_ssl | default([443]) %}
+{% set __listen_ssl = item.listen_ssl | default(nginx_default_listen_ssl) %}
-{% set __http_proxy_protocol_port = item.http_proxy_protocol_port | default([]) %}
+{% set __listen_proxy_protocol = item.listen_proxy_protocol | default(nginx_default_listen_proxy_protocol) %}
-{% set __https_proxy_protocol_port = item.https_proxy_protocol_port | default([]) %}
+{% set __listen_proxy_protocol_ssl = item.listen_proxy_protocol_ssl | default(nginx_default_listen_proxy_protocol_ssl) %}
 {% set __location = item.location | default({}) %}
 {% set __location_before = item.location_before | default({}) %}
 {% set __headers = item.headers | default(nginx_servers_default_headers) %}
-{% set __ssl_name = item.ssl_name | default(item.name if item.name is string else item.name[0]) %}
+{% set __ssl_name = item.ssl_name | default(__main_name) %}
 {% set __location_order = item.location_order | default(__location.keys()) %}
 {% set __location_order_before = item.location_order_before | default(__location_before.keys()) %}
 {% set __http2 = nginx_auto_config_httpv2 and 'http_v2' in nginx_modules %}
 {% macro listen_http() %}
 {% endmacro %}
 {% macro server_name(name) %}
 {% if name is string %}{{ name }}{% else %}{{ name | join(" ") }}{% endif %}
 {% endmacro %}
 {% macro locations(list, order) %}
 {% if order | length > 0 %}
 	# --> Custom locations
 {% for location in order %}
 	location {{ location }} {
 {% set opts = list[location] %}
 {% for opt in opts %}
 {% if opt.htpasswd is defined %}
 {{ htpasswd(opt.htpasswd, 2) }}
 {% else %}
 	{{ opt }}
 {% endif %}
 {% endfor  %}
 	}
 {% endfor %}
 	# <-- Custom locations
 {% endif %}
 {% endmacro %}
 {% macro htpasswd(htpasswd_name, indent=1) -%}
 {%- if htpasswd_name != false %}
 {%- for ht in nginx_htpasswd if ht.name == htpasswd_name %}
@@ -17,11 +43,26 @@
 {%- endif %}
 {%- endmacro %}
 {% macro ssl(ssl_name) %}
-{% for sn in nginx_ssl_pairs if sn.name == ssl_name %}
+{% for sn in nginx_ssl_pairs if (sn.name is defined and (sn | nginx_site_name) == ssl_name) %}
-	ssl_certificate {{ nginx_ssl_dir + '/' + ssl_name + '/' + ssl_name + '.crt' if sn.dest_cert is not defined else sn.dest_cert }};
+	ssl_certificate {{ sn | nginx_cert_path(nginx_ssl_dir) }};
-	ssl_certificate_key {{ nginx_ssl_dir + '/' + ssl_name + '/' + ssl_name + '.key' if sn.dest_key is not defined else sn.dest_key }};
+	ssl_certificate_key {{ sn | nginx_key_path(nginx_ssl_dir) }};
 {% endfor %}
 {%- endmacro %}
 {% macro httpsredirect(name) %}
 server {
 {% for port in __listen %}
 	listen {{ port }};
 {% endfor %}
 {% for port in __listen_proxy_protocol %}
 	listen {{ port }} proxy_protocol;
 {% endfor %}
 	server_name {{ server_name(name) }};
 	location / {
 		return 301 https://{{ name }}{% if '443' not in __listen_ssl and 443 not in __listen_ssl %}:{{ __listen_ssl[0] }}{% endif %}$request_uri;
 	}
 }
 {% endmacro %}
 #
 # {{ ansible_managed }}
 #
@@ -32,24 +73,31 @@
 server {
 {% if 'http' in __proto %}
 {% for port in __listen %}
-	listen {{ port }}{% if nginx_default_vhost == __main_name %} default_server{% endif %}{% if port | int in __http_proxy_protocol_port %} proxy_protocol{% endif %};
+	listen {{ port }}{% if nginx_default_site == __main_name %} default_server{% endif %};
 {% endfor %}
 {% for port in __listen_proxy_protocol %}
 	listen {{ port }}{% if nginx_default_site == __main_name %} default_server{% endif %} proxy_protocol;
 {% endfor %}
 {% endif %}
 {% if 'https' in __proto %}
 {% for port in __listen_ssl %}
-	listen {{ port }}{% if nginx_default_vhost_ssl == __main_name %} default_server{% endif %} ssl{% if nginx_auto_config_httpv2 and 'http_v2' in nginx_modules %} http2{% endif %}{% if port | int in __https_proxy_protocol_port %} proxy_protocol{% endif %};
+	listen {{ port }}{% if nginx_default_site_ssl == __main_name %} default_server{% endif %} ssl{% if __http2 %} http2{% endif %};
 {% endfor %}
 {% for port in __listen_proxy_protocol_ssl %}
 	listen {{ port }}{% if nginx_default_site_ssl == __main_name %} default_server{% endif %} ssl{% if __http2 %} http2{% endif %} proxy_protocol;
 {% endfor %}
 {{ ssl(__ssl_name) }}
 {% if item.ssl_template is not defined or item.ssl_template != false %}
 	include {{ nginx_helper_dir + '/ssl-' + item.ssl_template | default('strong') }};
 	add_header Strict-Transport-Security "{{ item.hsts | default(nginx_default_hsts) }}" always;
 {% endif %}
 {% endif %}
-	server_name {% if item.name is string %}{{ item.name }}{% else %}{{ "\n\t\t"  }}{{ item.name | join("\n\t\t") }}{% endif %};
+	server_name {{ server_name(item.name) }};
 {% block root %}
 {% if item.root is defined %}
 	root {{ item.root }};
 {% else %}
-	root {{ nginx_root }}/{{ __main_name }}/public;
+	root {{ nginx_root }}/{{ item | nginx_site_filename }}/public;
 {% endif %}
 {% endblock %}
 {% block template_index %}
@@ -70,16 +118,18 @@ server {
 {% block template_headers %}
 	# --> Custom headers
-{% for key, value in __headers.iteritems() %}
+{% for key, value in __headers.items() %}
-	add_header {{ key }} "{{ value | replace(' always', '') }}"{% if nginx_version.stdout | version_compare('1.7.5', 'ge') and ' always' in value %} always{% endif %};
+	add_header {{ key }} "{{ value | regex_replace('\s+always$', '') }}"{% if value | regex_search('\s+always$') %} always{% endif %};
 {% endfor %}
 	# <-- Custom headers
 {% endblock %}
-{% if not __location.has_key('/') %}
+{{ locations(__location_before, __location_order_before) }}
 {% if not '/' in  __location %}
 	location / {
 {% block template_try_files %}
-		try_files {{ override_try_files | default('$uri $uri/ =404') }};
+		try_files {{ item.override_try_files | default('$uri $uri/ =404') }};
 {% endblock %}
 	}
 {% endif %}
@@ -89,19 +139,7 @@ server {
 {% block template_custom_location %}
 {% endblock %}
-{% if __location_order | length > 0 %}
+{{ locations(__location, __location_order) }}
 	# --> Custom locations
 {% for location in __location_order %}
 	location {{ location }} {
 {% set opts = __location[location] %}
 {% for opt in opts %}
 {% if opt.htpasswd is defined %}{{ htpasswd(opt.htpasswd, 2) }}{% else %}
 		{{ opt }}
 {% endif %}
 {% endfor  %}
 	}
 {% endfor %}	# <-- Custom locations
 {% endif %}
 {% block template_local_content %}
 {% if item.manage_local_content is not defined or item.manage_local_content %}
@@ -115,7 +153,7 @@ server {
 		log_not_found off;
 	}
-	location ~* \.(txt|js|css|png|jpe?g|gif|ico|svg)$ {
+	location ~* \.(txt|js|css|png|jpe?g|gif|ico|svg|(o|t)tf|woff2?|eot)$ {
 		expires 30d;
 		log_not_found off;
 	}
@@ -142,15 +180,14 @@ server {
 #
 # Redirect HTTP to HTTPS
 #
-server {
+{% if item.name is string %}
-{% for port in __listen %}
+{{ httpsredirect(item.name) }}
-	listen {{ port }}{% if nginx_default_vhost == __main_name %} default_server{% endif %}{% if port | int in __http_proxy_protocol_port %} proxy_protocol{% endif %};
+{% else %}
 {% for i in item.name %}
 {{ httpsredirect(i) }}
 {% endfor %}
 	server_name {% if item.name is string %}{{ item.name }}{% else %}{{ "\n\t\t" }}{{ item.name | join("\n\t\t") }}{% endif %};
 	return 301 https://{{ __main_name }}{% if '443' not in __listen_ssl %}:{{ __listen_ssl[0] }}{% endif %}$request_uri;
 }
 {% endif %}
-
+{% endif %}
 {% if item.redirect_from is defined and item.redirect_from is iterable %}
 #
@@ -158,11 +195,38 @@ server {
 #
 server {
 {% for port in __listen %}
-	listen {{ port }}{% if port | int in __http_proxy_protocol_port %} proxy_protocol{% endif %};
+	listen {{ port }};
 {% endfor %}
-	server_name {% if item.redirect_from is string %}{{ item.redirect_from }}{% else %}{{ "\n\t\t" }}{{ item.redirect_from | join("\n\t\t") }}{% endif %};
+{% for port in __listen_proxy_protocol %}
 	listen {{ port }} proxy_protocol;
 {% endfor %}
 	server_name {{ server_name(item.redirect_from) }};
 	location / {
 		return 301 $scheme://{{ __main_name }}$request_uri;
 	}
 }
 {% if 'https' in __proto %}
 server {
 {% for port in __listen_ssl %}
 	listen {{ port }} ssl{% if __http2 %} http2{% endif %};
 {% endfor %}
 {% for port in __listen_proxy_protocol_ssl %}
 	listen {{ port }} ssl{% if __http2 %} http2{% endif %} proxy_protocol;
 {% endfor %}
 {{ ssl(__ssl_name) }}
 {% if item.ssl_template is not defined or item.ssl_template != false %}
 	include {{ nginx_helper_dir + '/ssl-' + item.ssl_template | default('strong') }};
 	add_header Strict-Transport-Security "{{ item.hsts | default(nginx_default_hsts) }}" always;
 {% endif %}
 	server_name {{ server_name(item.redirect_from) }};
 	location / {
 		return 301 https://{{ __main_name }}{% if '443' not in __listen_ssl and 443 not in __listen_ssl %}:{{ __listen_ssl[0] }}{% endif %}$request_uri;
 	}
 }
 {% endif %}
 {% endif %}
 # vim:filetype=nginx
--- a/templates/etc/nginx/sites-available/_nagios3.j2
+++ b/templates/etc/nginx/sites-available/_nagios3.j2
@@ -1,67 +0,0 @@
 {% extends "_php.j2" %}
 {% block root %}
 	root {{ nginx_nagios_root }};
 {% endblock %}
 {% block template_try_files %}
 {% endblock %}
 {% block template_index %}
 	index index.php index.html;
 {% endblock %}
 {% block template_headers %}
 	# --> Custom headers
 {% for key, value in __headers.iteritems() %}
 {% if key == "X-Frame-Options" %}
 	# X-Frame-Options forced by Ansible
 	add_header {{ key }} "SAMEORIGIN"{% if nginx_version.stdout | version_compare('1.7.5', 'ge') %} always{% endif %};
 {% else %}
 	add_header {{ key }} "{{ value | replace(' always', '') }}"{% if nginx_version.stdout | version_compare('1.7.5', 'ge') and ' always' in value %} always{% endif %};
 {% endif %}
 {% endfor %}
 	# <-- Custom headers
 {% endblock %}
 {% block template_local_content %}
 	location ~ /\.ht {
 		deny all;
 	}
 	location /stylesheets {
 {% if nginx_nagios_stylesheets is defined %}
 		alias {{ nginx_nagios_stylesheets }};
 {% endif %}
 		expires 60d;
 	}
 {% endblock %}
 {% block template_upstream_location %}
 {% if ansible_distribution == 'Debian' %}
 	location /cgi-bin/nagios3 {
 		root /usr/lib;
 {% elif ansible_distribution == 'FreeBSD' %}
 	location /cgi-bin {
 {% endif %}
 		try_files $uri =404;
 {% if nginx_version.stdout | version_compare('1.6.1', 'lt') %}
 		include fastcgi_params;
 {% else %}
 		include fastcgi.conf;
 {% endif %}
 		fastcgi_pass unix:{{ nginx_fcgiwrap_sock }};
 		fastcgi_param AUTH_USER $remote_user;
 		fastcgi_param REMOTE_USER $remote_user;
 	}
 	location ~ \.php$ {
 		fastcgi_pass {{ php_upstream }};
 		fastcgi_index index.php;
 {% if nginx_version.stdout | version_compare('1.6.1', 'lt') %}
 		include fastcgi_params;
 {% else %}
 		include fastcgi.conf;
 {% endif %}
 	}
 {% endblock %}
--- a/templates/etc/nginx/sites-available/_owncloud.j2
+++ b/templates/etc/nginx/sites-available/_owncloud.j2
@@ -1,87 +0,0 @@
 {% extends "_php.j2" %}
 {% block root %}
 	root {{ nginx_owncloud_root }};
 {% endblock %}
 {% block template_index %}
 	index index.php;
 {% endblock %}
 {% block template_more %}
 	error_page 403 /core/templates/403.php;
 	error_page 404 /core/templates/404.php;
 	gzip off;
 	client_max_body_size 10G;
 	fastcgi_buffers 64 4K;
 	rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect;
 	rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect;
 	rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;
 {% endblock %}
 {% block template_headers %}
 	add_header X-XSS-Protection "1; mode=block";
 	add_header X-Robots-Tag none;
 	add_header X-Content-Type-Options nosniff;
 	add_header X-Download-Options noopen;
 	add_header X-Permitted-Cross-Domain-Policies none;
 	add_header X-Frame-Options SAMEORIGIN;
 {% endblock %}
 {% block template_try_files %}
 		try_files $uri $uri/ =404;
 {% endblock %}
 {% block template_upstream_location %}
 	location ~ /remote.php {
 		dav_methods PUT DELETE MKCOL COPY MOVE;
 		dav_ext_methods PROPFIND OPTIONS;
 		fastcgi_pass {{ php_upstream }};
 		fastcgi_param HOME {{ nginx_owncloud_root }};
 		fastcgi_param HTTP_HOME {{ nginx_owncloud_root }};
 		fastcgi_param PATH /usr/local/bin:/usr/bin:/bin;
 		fastcgi_param modHeadersAvailable true;
 		fastcgi_split_path_info ^(.+\.php)(/.+)$;
 {% if nginx_version.stdout | version_compare('1.6.1', 'lt') %}
 		include fastcgi_params;
 {% else %}
 		include fastcgi.conf;
 {% endif %}
 	}
 	location ~ \.php(?:$|/) {
 		fastcgi_pass {{ php_upstream }};
 		fastcgi_index index.php;
 		fastcgi_param HOME {{ nginx_owncloud_root }};
 		fastcgi_param HTTP_HOME {{ nginx_owncloud_root }};
 		fastcgi_param PATH /usr/local/bin:/usr/bin:/bin;
 		fastcgi_param modHeadersAvailable true;
 		fastcgi_split_path_info ^(.+\.php)(/.+)$;
 {% if nginx_version.stdout | version_compare('1.6.1', 'lt') %}
 		include fastcgi_params;
 {% else %}
 		include fastcgi.conf;
 {% endif %}
 	}
 {% endblock %}
 {% block template_local_content %}
 	location ~* \.(?:css|js)$ {
 		try_files $uri /index.php$is_args$args;
 		expires 2h;
 	}
 	location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$ {
 		expires 2d;
 	}
 	location = /robots.txt {
 		allow all;
 		log_not_found off;
 		access_log off;
 	}
 	location ~ ^/(?:\.ht|data|config|db_structure\.xml|README){
 		deny all;
 	}
 {% endblock %}
--- a/templates/etc/nginx/sites-available/_php.j2
+++ b/templates/etc/nginx/sites-available/_php.j2
@@ -1,45 +1,22 @@
 {% extends "_base.j2" %}
 {% macro phpv(version) %}
 {% if version == 56 or version == "56" or version == "5.6" %}
 {{ nginx_upstream_php56 -}}
 {% elif version == 70 or version == "70" or version == "7.0" %}
 {{ nginx_upstream_php70 -}}
 {% else %}
 {# Hack... define another upstream #}
 {{ version -}}
 {% endif %}
 {%- endmacro -%}
 {% if item.php_version is defined %}
 {% set php_upstream = phpv(item.php_version) %}
 {% elif nginx_php56 %}
 {% set php_upstream = phpv(56) %}
 {% elif nginx_php70 %}
 {% set php_upstream = phpv(70) %}
 {% endif %}
 {% block template_index %}
 	index {{ item.index | default('index.html index.htm index.php') }};
 {% endblock %}
 {% block template_try_files %}
-		try_files {{ override_try_files | default('$uri $uri/ /index.php') }};
+		try_files {{ item.override_try_files | default('$uri $uri/ =404') }};
 {% endblock %}
 {% block template_upstream_location %}
 	location ~ \.php$ {
-		fastcgi_pass {{ php_upstream }};
+		fastcgi_pass {{ item.php_upstream }};
 		fastcgi_index index.php;
 {% if item.upstream_params is defined and item.upstream_params is iterable %}
 {% for param in item.upstream_params %}
 		{{ param }}
 {% endfor %}
 {% endif %}
 {% if nginx_version.stdout | version_compare('1.6.1', 'lt') %}
 		include fastcgi_params;
 {% else %}
 		include fastcgi.conf;
 {% endif %}
 	}
 {% endblock %}
--- a/templates/etc/nginx/sites-available/_php_index.j2
+++ b/templates/etc/nginx/sites-available/_php_index.j2
@@ -2,18 +2,14 @@
 {% block template_upstream_location %}
 	location = /index.php {
-		fastcgi_pass {{ php_upstream }};
+		fastcgi_pass {{ item.php_upstream }};
 		fastcgi_index index.php;
 {% if item.upstream_params is defined and item.upstream_params is iterable %}
 {% for param in item.upstream_params %}
 		{{ param }}
 {% endfor %}
 {% endif %}
 {% if nginx_version.stdout | version_compare('1.6.1', 'lt') %}
 		include fastcgi_params;
 {% else %}
 		include fastcgi.conf;
 {% endif %}
 	}
 {% endblock %}
--- a/templates/etc/nginx/sites-available/_php_index2.j2
+++ b/templates/etc/nginx/sites-available/_php_index2.j2
@@ -0,0 +1,18 @@
 {% extends "_php.j2" %}
 {% block template_try_files %}
 		try_files {{ item.override_try_files | default('$uri $uri/ /index.php') }};
 {% endblock %}
 {% block template_upstream_location %}
 	location = /index.php {
 		fastcgi_pass {{ item.php_upstream }};
 		fastcgi_index index.php;
 {% if item.upstream_params is defined and item.upstream_params is iterable %}
 {% for param in item.upstream_params %}
 		{{ param }}
 {% endfor %}
 {% endif %}
 		include fastcgi.conf;
 	}
 {% endblock %}
--- a/templates/etc/nginx/sites-available/_symfony.j2
+++ b/templates/etc/nginx/sites-available/_symfony.j2
@@ -0,0 +1,27 @@
 {% extends "_php.j2" %}
 {% block template_try_files %}
 		 try_files $uri /index.php$is_args$args;
 {% endblock %}
 {% block template_upstream_location %}
 	location /bundles {
 		try_files $uri =404;
 	}
 	location ~ ^/index\.php(/|$) {
 		fastcgi_pass {{ item.php_upstream }};
 		fastcgi_index index.php;
 {% if item.upstream_params is defined and item.upstream_params is iterable %}
 {% for param in item.upstream_params %}
 		{{ param }}
 {% endfor %}
 {% endif %}
 		include fastcgi.conf;
 		internal;
 	}
 	location ~ \.php$ {
 		return 404;
 	}
 {% endblock %}
--- a/templates/etc/nginx/upstream/php.conf.j2
+++ b/templates/etc/nginx/upstream/php.conf.j2
@@ -1,30 +0,0 @@
 #
 # {{ ansible_managed }}
 #
 {% if nginx_php56 %}
 upstream {{ nginx_upstream_php56 }} {
 {% for item in nginx_php56_sockets %}
 {% if item.unix_socket is defined %}
 	server unix:{{ item.unix_socket }} weight={{ item.weight | default('1') }};
 {% else %}
 	server {{ item.host }}:{{ item.port }} weight={{ item.weight | default('1') }} max_fails={{ item.max_fails | default('5') }} fail_timeout={{ item.fail_timeout | default('10s') }};
 {% endif %}
 {% endfor %}
 }
 {% endif %}
 {% if nginx_php70 %}
 upstream {{ nginx_upstream_php70 }} {
 {% for item in nginx_php70_sockets %}
 {% if item.unix_socket is defined %}
 	server unix:{{ item.unix_socket }} weight={{ item.weight | default('1') }};
 {% else %}
 	server {{ item.host }}:{{ item.port }} weight={{ item.weight | default('1') }} max_fails={{ item.max_fails | default('5') }} fail_timeout={{ item.fail_timeout | default('10s') }};
 {% endif %}
 {% endfor %}
 }
 {% endif %}
 # vim:filetype=nginx
--- a/tests/debian-jessie.Dockerfile
+++ b/tests/debian-jessie.Dockerfile
@@ -1,4 +0,0 @@
 FROM williamyeh/ansible:debian8-onbuild
 RUN apt-get update
 CMD ["sh", "tests/travis.sh"]
--- a/tests/includes/post_Debian.yml
+++ b/tests/includes/post_Debian.yml
@@ -1,11 +1 @@
 ---
 - name: APT | Install web apps
  apt: pkg={{ item }} state=present install_recommends=no
  with_items:
    - backuppc
    - nagios3
 #    - owncloud
 - name: SERVICE | Ensure backuppc is started
  service: name=backuppc state=started
--- a/tests/includes/post_FreeBSD.yml
+++ b/tests/includes/post_FreeBSD.yml
@@ -1,31 +1 @@
 ---
 - name: APT | Install web apps
  pkgng: pkg={{ item }} state=present
  with_items:
    - nagios
    - backuppc
 - name: COMMAND | Activate backuppc config
  command: >
    cp /usr/local/etc/backuppc/config.pl.sample /usr/local/etc/backuppc/config.pl
    creates=/usr/local/etc/backuppc/config.pl
 - name: FILE | Fix backuppc permissions
  file: >
    path=/usr/local/etc/backuppc/config.pl
    owner=backuppc
    group=backuppc
 - name: FILE | Fix fcgiwrap permission
  file: >
    path={{ nginx_fcgiwrap_sock }}
    mode=0640
    owner={{ nginx_user }}
    group={{ nginx_user }}
 #
 # We don't manage BackupPC on FreeBSD... too dirty. :/
 #
 #- name: SERVICE | Ensure backuppc is started
 #  service: name=backuppc state=started enabled=yes
--- a/tests/includes/pre_Debian.yml
+++ b/tests/includes/pre_Debian.yml
@@ -1,47 +1,83 @@
 ---
 - name: APT_REPOSITORY | Install backports
-  apt_repository: repo='deb http://httpredir.debian.org/debian {{ ansible_distribution_release }}-backports main' state=present
+  apt_repository:
-
+    repo: 'deb http://httpredir.debian.org/debian {{ ansible_distribution_release }}-backports main'
- block:
+    state: present
-  - name: APT | Install DotDeb key
+  when: nginx_backports
    apt_key: url='http://www.dotdeb.org/dotdeb.gpg' state=present
  - name: APT_REPOSITORY | Install dotdeb (PHP 7)
    apt_repository: repo='deb http://packages.dotdeb.org {{ ansible_distribution_release }} all' state=present
  - name: LINEFILEFILE | Dotdeb priority (prevent install nginx from dotdeb)
    copy: >
      content="Package: *\nPin: release o=packages.dotdeb.org\nPin-Priority: 100"
      dest=/etc/apt/preferences
  when: ansible_distribution_release == 'jessie' and dotdeb
 - name: APT | Install needed packages
-  apt: pkg={{ item }} update_cache=yes cache_valid_time=3600 state=present
+  apt:
-  with_items:
+    pkg: "{{ packages }}"
    update_cache: true
    cache_valid_time: 3600
    state: present
  vars:
    packages:
      - cron
      - curl
-    - fcgiwrap
+      - daemonize
      - jq
      - nghttp2
      - strace
      - vim
      - unzip
- name: APT | Install PHP5.6
+- name: APT | Install PHP
-  apt: pkg={{ item }} update_cache=yes cache_valid_time=3600 state=present
+  apt:
-  with_items:
+    pkg: "{{ pkgs }}"
-    - php5-fpm
+    update_cache: true
-    - php5-sqlite
+    cache_valid_time: 3600
-  when: nginx_php56
+    state: present
  vars:
    pkgs:
      - php-cli
      - php-fpm
- name: APT | Install PHP7
+- name: SHELL | Get current PHP version
-  apt: pkg={{ item }} update_cache=yes cache_valid_time=3600 state=present
+  shell: php --version | awk '/^PHP/ { print $2 }' | grep -o -E '^.{3}'
-  with_items:
+  changed_when: false
-    - php7.0-fpm
+  register: cur_php_version
    - php7.0-sqlite3
  when: nginx_php70
- name: SERVICE | Force start services
+# Bypasses Ansible+Docker issue. With service module... php is not really started!
-  service: name={{ item.name }} state=started
+- name: COMMAND | Force start PHP
-  register: sf
+  command: "service php{{ cur_php_version.stdout }}-fpm start"
-  with_items:
+  args:
-    - { name: 'php5-fpm', cond: "{{ nginx_php56 }}" }
+    creates: "/run/php/php{{ cur_php_version.stdout }}-fpm.pid"
-    - { name: 'php7.0-fpm', cond: "{{ nginx_php70 }}" }
+    warn: false
-    - { name: 'fcgiwrap', cond: true }
+
-  when: "{{ item.cond }}"
+- name: GET_URL | Download ngrok
  get_url:
    url: "https://bin.equinox.io/c/4VmDzA7iaHb/ngrok-stable-linux-amd64.zip"
    dest: "/tmp/ngrok.zip"
 - name: UNARCHIVE | Uncompress ngrok
  unarchive:
    src: "/tmp/ngrok.zip"
    dest: "/tmp"
    remote_src: true
 - name: SET_FACT | ngrok_path
  set_fact:
    ngrok_path: '/tmp/ngrok'
 - name: USER | Create PHP User foo
  user:
    name: foo
    system: true
 - name: INCLUDE_ROLE | HanXHX.php
  include_role:
    name: "{{ playbook_dir }}/HanXHX.php"
  vars:
    php_version: "{{ cur_php_version.stdout }}"
    php_autoremove_default_pool: false
    php_fpm_poold:
      - name: 'hx_unix'
        user: 'foo'
        php_value:
          display_errors: 'Off'
        php_admin_value:
          memory_limit: '98M'
      - name: 'hx_ip'
        listen: '127.0.0.1:9636'
--- a/tests/includes/pre_FreeBSD.yml
+++ b/tests/includes/pre_FreeBSD.yml
@@ -2,24 +2,65 @@
 - name: SET_FACT | FreeBSD web user
  set_fact:
-    nginx_pkgng_package: 'nginx-devel'
+    nginx_pkgng_package: 'nginx-full'
    nginx_user: 'www'
-    nginx_php70: false
+    nginx_php:
-    nginx_php56_sockets:
+      - upstream_name: 'manual'
        sockets:
          - host: '127.0.0.1'
            port: 9000
      - upstream_name: 'hx_unix'
        sockets:
          - host: '127.0.0.1'
            port: 9000
      - upstream_name: 'hx_ip'
        sockets:
          - host: '127.0.0.1'
            port: 9000
    ngrok_path: '/usr/local/bin/ngrok'
 - name: PKGNG | Install needed packages
-  pkgng: pkg={{ item }} state=present
+  pkgng:
-  with_items:
+    pkg: "{{ packages }}"
-    - php56
+    state: present
  vars:
    packages:
      - bash
      - curl
      - daemonize
      - fcgiwrap
      - jq
      - nghttp2
      - php74
      - vim
 - name: SERVICE | Force start services
-  service: name={{ item }} state=started enabled=yes
+  service:
    name: "{{ item }}"
    state: started
    enabled: true
  register: sf
-  with_items:
+  loop:
    - php-fpm
-    - fcgiwrap
+
 - name: STAT | Check ports
  stat:
    path: /usr/ports
  register: ports
 - block:
    - name: COMMAND | Get ports
      command: portsnap fetch --interactive
    - name: COMMAND | Extract ports
      command: portsnap extract
      no_log: true
  when: not ports.stat.exists
 - name: SHELL | Install ngrok
  shell: make install clean DISABLE_LICENSES=yes
  args:
    chdir: /usr/ports/security/ngrok
    creates: "{{ ngrok_path }}"
--- a/tests/includes/pre_common.yml
+++ b/tests/includes/pre_common.yml
@@ -0,0 +1,30 @@
 ---
 - name: SHELL | Start ngrok
  shell: daemonize -l /tmp/ngrok.lock {{ ngrok_path }} http 80 -bind-tls=false
  failed_when: false
  changed_when: ngrok.stderr.find("Can't lock the lock file") == -1
  register: ngrok
 - name: WAIT_FOR | ngrok started
  wait_for:
    delay: 2
    port: 4040
  when: ngrok.changed
 - name: SHELL | Get ngrok public address
  shell: set -o pipefail && curl 'http://127.0.0.1:4040/api/tunnels/command_line' 2> /dev/null | jq -r '.public_url' | cut -d '/' -f 3
  args:
    executable: /bin/bash
    warn: false
  register: ngrok
  changed_when: false
 - name: LINEINFILE | Tune vimrc
  lineinfile:
    line: "set mouse="
    dest: "{{ item }}/.vimrc"
    create: true
  loop:
    - /root
    - /home/vagrant
--- a/tests/templates/custom_template.conf.j2
+++ b/tests/templates/custom_template.conf.j2
@@ -0,0 +1,16 @@
 # {{ ansible_managed }} - custom template
 server {
 	listen 80;
 	listen 8888 http2;
 	listen 9999 http2 proxy_protocol;
 	server_name {{ item.name }};
 	index index.html index.htm;
 	root {{ item.root }};
 	location / {
 		try_files $uri $uri/ =404;
 	}
 }
--- a/tests/test.yml
+++ b/tests/test.yml
@@ -2,25 +2,64 @@
 - hosts: all
  pre_tasks:
-    - debug: var=dotdeb
+
-    - debug: var=nginx_php56
+    - name: INCLUDE_TASKS | Pre_tasks related to OS version
-    - debug: var=nginx_php70
+      ansible.builtin.include_tasks: "includes/pre_{{ ansible_distribution }}.yml"
-    - debug: var=nginx_backports
+
-    - name: INCLUDE | Pre_tasks related to OS version
+    - name: IMPORT_TASKS | Pre_tasks common
-      include: "includes/pre_{{ ansible_distribution }}.yml"
+      ansible.builtin.import_tasks: "includes/pre_common.yml"
    - name: FILE | Create an internal SSL dir
-      file: path={{ int_ansible_ssl_dir }} state=directory
+      ansible.builtin.file:
        path: "{{ int_ansible_ssl_dir }}"
        state: directory
        mode: 0750
        owner: root
        group: root
    - name: COPY | Deploy test certificate
-      copy: src=file/test.crt dest={{ int_ansible_ssl_dir }}/test.crt
+      ansible.builtin.copy:
        src: "file/test.crt"
        dest: "{{ int_ansible_ssl_dir }}/test.crt"
        mode: 0640
        owner: root
        group: root
    - name: COPY | Deploy test key
-      copy: src=file/test.key dest={{ int_ansible_ssl_dir }}/test.key
+      ansible.builtin.copy:
        src: "file/test.key"
        dest: "{{ int_ansible_ssl_dir }}/test.key"
        mode: 0640
        owner: root
        group: root
    - name: COPY | Add all hosts in /etc/hosts
      ansible.builtin.copy:
        content: |
          127.0.0.1 localhost
          {% for s in nginx_sites %}
          {% if s.name is string %}
          127.0.0.1 {{ s.name }}
          {% else %}
          127.0.0.1 {% for n in s.name %}{{ n }} {% endfor %}
          {% endif %}
          {% if s.redirect_from is defined %}
          127.0.0.1 {% for rf in s.redirect_from %}{{ rf }} {% endfor %}
          {% endif %}
          {% endfor %}
        dest: "/etc/hosts"
        mode: 0644
        owner: root
        group: root
        unsafe_writes: true
  vars:
-# Internal vars
+    # Internal vars
    int_ansible_ssl_dir: '/etc/ansible-ssl'
-# Role vars
+    # Role vars
    nginx_worker_processes: 1    # Ansible+FreeBSD can't detect CPU number
    nginx_apt_package: 'nginx-extras'
-    nginx_dyn_modules: ['http_geoip']
+    nginx_module_packages: ['libnginx-mod-http-headers-more-filter']
    nginx_upstreams:
      - name: 'test'
        servers:
@@ -44,17 +83,21 @@
            state: 'absent'
          - name: 'hanx'
            password: 'qwerty'
      - name: 'nagios'
        description: 'Please login to Nagios!'
        users:
          - name: 'nagiosadmin'
            password: 'nagios'
      - name: 'deleteme'
        description: 'Please login!'
        users: []
        state: 'absent'
    nginx_acmesh: true
    nginx_acmesh_test: true
    nginx_ssl_pairs:
-      - name: 'test-ssl-predeployed.local'
+      - name: '{{ ngrok.stdout }}'
        acme: true
      - name: 'test-ssl-selfsigned.local'
        self_signed: true
        force: false
      - name:
          - 'test-ssl-predeployed.local'
          - 'test-multiple-name.local'    # Hack: tests for acme with multiple name, without using acme
        dest_key: "{{ int_ansible_ssl_dir }}/test.key"
        dest_cert: "{{ int_ansible_ssl_dir }}/test.crt"
      - name: 'test-ssl.local'
@@ -108,23 +151,23 @@
          -----END CERTIFICATE-----
    nginx_custom_http:
      - 'add_header X-ansible 1;'
-      - 'geoip_country /usr/share/GeoIP/GeoIP.dat;'
+      - 'geoip_country {% if ansible_distribution == "Debian" %}/usr/share/GeoIP/GeoIP.dat{% else %}/usr/local/share/GeoIP/GeoIP.dat{% endif %};'
      - 'map $geoip_country_code $allowed_country {'
      - '    default yes;'
      - '    MA no;'
      - '    DZ no;'
      - '    TN no;'
      - '}'
-    nginx_default_vhost: 'first-test'
+    nginx_default_site: 'test.local'
-    nginx_default_vhost_ssl: 'test-ssl-predeployed.local'
+    nginx_default_site_ssl: 'test-ssl-predeployed.local'
-    nginx_vhosts:
+    nginx_sites:
      - name:
          - 'test.local'
          - 'test-alias.local'
          - 'test2-alias.local'
        template: '_base'
-        filename : 'first-test'
+        filename: 'first-test'
-        override_try_files: '$uri $uri index.htm index.html'
+        override_try_files: '$uri/ $uri =404'
        headers:
          'X-Frame-Options': 'deny always'
          'X-ansible-default': '1'
@@ -144,9 +187,10 @@
            - 'deny all;'
      - name: 'test-htpasswd.local'
        template: '_base'
-        location:
+        location_before:
          '/hello':
            - htpasswd: 'hello'
        location:
          '/public':
            - htpasswd: false
        use_error_log: true
@@ -155,22 +199,24 @@
        htpasswd: 'hello'
      - name: 'test-location.local'
        template: '_base'
        location_before:
          '/b':
            - 'alias /var/tmp;'
          '/c':
            - 'alias /var/tmp;'
        location:
          '/':
            - 'alias /var/tmp;'
          '/a':
            - 'alias /var/tmp;'
-          '/b':
+        location_order_before:
-            - 'alias /var/tmp;'
+          - '/b'
-          '/c':
+          - '/c'
            - 'alias /var/tmp;'
        location_order:
          - '/'
          - '/a'
          - '/b'
          - '/c'
      - name: 'test-php.local'
-        php_version: "{{ '7.0' if nginx_php70 else '5.6' }}"
+        php_upstream: "manual"
        upstream_params:
          - 'fastcgi_param FOO bar;'
        redirect_from:
@@ -180,6 +226,10 @@
        use_access_log: true
      - name: 'test-php-index.local'
        template: '_php_index'
        php_upstream: 'hx_unix'
      - name: 'test-php-index2.local'
        template: '_php_index2'
        php_upstream: 'hx_ip'
      - name: 'test-proxy.local'
        listen:
          - 8080
@@ -191,15 +241,15 @@
        state: 'absent'
      - name: 'redirect-to.local'
        redirect_to: 'http://test.local'
      - name: 'backuppc.local'
        template: '_backuppc'
        htpasswd: 'hello'
      - name: 'nagios3.local'
        template: '_nagios3'
        htpasswd: 'nagios'
      - name: 'test-ssl.local'
        proto: ['http', 'https']
        template: '_base'
      - name:
          - 'test-ssl-selfsigned.local'
          - 'www.test-ssl-selfsigned.local'
        proto: ['http', 'https']
        template: '_base'
        hsts: 'max-age=1664;'
      - name: 'test-ssl-predeployed.local'
        proto: ['http', 'https']
        template: '_base'
@@ -212,218 +262,313 @@
        template: '_base'
        ssl_name: 'test-ssl.local'
        redirect_https: true
-      - name: 'test-ssl-proxy-protocol.local'
+      - name:
-        proto: ['http', 'https']
+          - 'test-ssl-redirect-many.local'
-        listen: [80, 20080]
+          - 'test-ssl-redirect-many2.local'
-        listen_ssl: [443, 20443]
+        listen_ssl: [8443]
-        http_proxy_protocol_port: [20080]
+        proto: ['https']
        https_proxy_protocol_port: [20443]
        template: '_base'
        ssl_name: 'test-ssl.local'
-    nginx_dh_length: 2048
+        redirect_https: true
        redirect_from:
          - 'www.test-ssl-redirect-many.local'
          - 'www.test-ssl-redirect-many2.local'
      - name: 'test-ssl-proxy-protocol.local'
        proto: ['http', 'https']
        listen_proxy_protocol: [20080]
        listen_proxy_protocol_ssl: [20443]
        template: '_base'
        ssl_name: 'test-ssl.local'
        headers:
          'X-Proxy-Protocol': '1'
      - name: '{{ ngrok.stdout }}'
        proto: ['http', 'https']
        listen_proxy_protocol: [21080]
        listen_proxy_protocol_ssl: [21443]
        template: '_base'
        ssl_name: '{{ ngrok.stdout }}'
        headers:
          'X-acme': '1'
      - name: 'test-custom-template.local'
        custom_template: 'templates/custom_template.conf.j2'
        root: '/tmp/custom-template'
    nginx_php: "{{ [{'upstream_name': 'manual', 'sockets': [{'host': '127.0.0.1', 'port': '9636' }] }] }}"
    nginx_dh_length: 1024
  roles:
    - ../../
  post_tasks:
-# --------------------------------
+    # --------------------------------
-# Apps
+    # Apps
-# --------------------------------
+    # --------------------------------
-    - name: INCLUDE | Post_tasks related to OS version
+    - name: INCLUDE_TASKS | Post_tasks related to OS version
-      include: "includes/post_{{ ansible_distribution }}.yml"
+      ansible.builtin.include_tasks: "includes/post_{{ ansible_distribution }}.yml"
-# --------------------------------
+
-# Deploy index files
+    # --------------------------------
-# --------------------------------
+    # Deploy index files
    # --------------------------------
    - name: -- Add PHP file --
-      copy: dest="{{ nginx_root }}/{{ item }}/public/index.php" content="<?php phpinfo();"
+      ansible.builtin.copy:
-      with_items: ['test-php.local', 'test-php-index.local']
+        dest: "{{ nginx_root }}/{{ item }}/public/index.php"
        content: "<?php phpinfo();"
        mode: 0644
        owner: root
        group: root
      loop:
        - 'test-php.local'
        - 'test-php-index.local'
        - 'test-php-index2.local'
    - name: -- Add Directories --
      ansible.builtin.file:
        path: "{{ item }}"
        state: directory
        mode: 0755
      loop:
        - "{{ nginx_root }}/test-htpasswd.local/public/hello"
        - "/tmp/custom-template"
    - name: -- Add HTML file --
-      copy: dest="{{ item }}/index.html" content="Index HTML test OK\n"
+      ansible.builtin.copy:
-      with_items: ['{{ nginx_root }}/first-test/public', '/var/tmp', '{{ nginx_root }}/test-htpasswd-all.local/public', '{{ nginx_root }}/test-ssl.local/public', '{{ nginx_root }}/test-ssl-predeployed.local/public', '{{ nginx_root }}/test-ssl-proxy-protocol.local/public']
+        dest: "{{ item }}/index.html"
        content: "Index HTML test OK\n"
        mode: 0644
        owner: root
        group: root
      loop:
        - '{{ nginx_root }}/first-test/public'
        - '/var/tmp'
        - '{{ nginx_root }}/test-htpasswd-all.local/public'
        - '{{ nginx_root }}/test-ssl.local/public'
        - '{{ nginx_root }}/test-ssl-selfsigned.local/public'
        - '{{ nginx_root }}/test-ssl-predeployed.local/public'
        - '{{ nginx_root }}/test-ssl-proxy-protocol.local/public'
        - '{{ nginx_root }}/{{ ngrok.stdout }}/public'
    - name: -- Create directory --
-      file: path={{ nginx_root }}/test-htpasswd.local/public/hello state=directory
+      ansible.builtin.file:
        path: "{{ nginx_root }}/test-htpasswd.local/public/hello"
        state: directory
        mode: 0755
        owner: root
        group: root
    - name: -- Add HTML file hello --
-      copy: dest="{{ nginx_root }}/test-htpasswd.local/public/hello/index.html" content="hello\n"
+      ansible.builtin.copy:
-# --------------------------------
+        dest: "{{ nginx_root }}/test-htpasswd.local/public/hello/index.html"
-# Test custom facts
+        content: "hello\n"
-# --------------------------------
+        mode: 0644
        owner: root
        group: root
    # --------------------------------
    # Test custom facts
    # --------------------------------
    - name: -- CHECK FACTS --
-      assert:
+      ansible.builtin.assert:
-        that: "'{{ ansible_local.nginx.fact_nginx_vhosts[0].name[0] }}' == 'test.local'"
+        that: "'{{ ansible_local.nginx.fact_nginx_sites[0].name[0] }}' == 'test.local'"
-# --------------------------------
+
-# Simple vhosts tests
+    # --------------------------------
-# --------------------------------
+    # Simple sites tests
-    - name: -- VERIFY VHOSTS --
+    # --------------------------------
-      command: "curl -H 'Host: {{ item.name if item.name is string else item.name[0] }}' http://127.0.0.1{% if item.listen is defined %}:{{ item.listen[0] }}{% endif %}/"
+    - name: -- VERIFY SITES --
-      with_items: "{{ nginx_vhosts }}"
+      ansible.builtin.uri:
        url: "http://{{ item | nginx_site_name }}{% if item.listen is defined %}:{{ item.listen[0] }}{% endif %}/"
        status_code: '200,301,302,401,403'
        follow_redirects: none
      loop: "{{ nginx_sites }}"
      when: item.state is undefined or item.state != "absent"
      changed_when: false
    - name: -- VERIFY FORBIDDEN --
-      command: "curl -H 'Host: test-php-index.local' http://127.0.0.1/phpinfo.php"
+      ansible.builtin.uri:
-      register: f
+        url: "http://test-php-index.local/phpinfo.php"
-      failed_when: f.stdout.find('403 Forbidden') == -1
+        status_code: 403
      changed_when: false
    - name: -- VERIFY REDIRECT VHOSTS --
      command: "curl -H 'Host: {{ item.redirect_from[0] }}' http://127.0.0.1/"
      with_items: "{{ nginx_vhosts }}"
      when: item.redirect_from is defined and (item.state is undefined or item.state != "absent")
      changed_when: false
      register: r
      failed_when: r.stdout.find('301 Moved Permanently') == -1
-# --------------------------------
+    - name: -- VERIFY REDIRECT SITES --
-# PHP
+      ansible.builtin.uri:
-# --------------------------------
+        url: "http://{{ item.redirect_from[0] }}/"
-    - name: -- VERIFY PHP5 VHOSTS (implicit default) --
+        status_code: 301
-      command: "curl -H 'Host: {{ item }}' http://127.0.0.1/"
+        follow_redirects: none
      loop: "{{ nginx_sites }}"
      when: item.redirect_from is defined and (item.state is undefined or item.state != "absent") and (item.proto is not defined or 'https' not in item.proto)
      changed_when: false
    - name: -- VERIFY REDIRECT HTTPS SITES --
      ansible.builtin.uri:
        url: "https://{{ item.redirect_from[0] }}:{{ item.listen_ssl[0] | default(443) }}/"
        status_code: 301
        follow_redirects: none
        validate_certs: false
      loop: "{{ nginx_sites }}"
      when: item.redirect_from is defined and (item.state is undefined or item.state != "absent") and item.proto is defined and 'https' in item.proto
      changed_when: false
    # --------------------------------
    # PHP
    # --------------------------------
    - name: -- VERIFY PHP SITES --
      ansible.builtin.uri:
        url: "http://{{ item.name }}/"
        return_content: true
      register: p
-      changed_when: false
+      loop: "{{ nginx_sites }}"
-      failed_when: p.stdout.find('PHP Version 5') == -1
+      when: >
-      with_items: ['test-php-index.local']
+        item.template is defined and
-      when: nginx_php56
+        (item.template == '_php' or item.template == '_php_index' or item.template == '_php_index2')
      failed_when: p.content.find('PHP Version') == -1
-    - name: -- VERIFY PHP7 VHOSTS --
+    - name: -- VERIFY INDEX2 --
-      command: "curl -H 'Host: {{ item }}' http://127.0.0.1/"
+      ansible.builtin.uri:
-      register: p
+        url: "http://test-php-index2.local/lorem.php?ipsum=sit&dolor=amet"
-      changed_when: false
+        return_content: true
-      failed_when: p.stdout.find('PHP Version 7') == -1
+      register: p2
-      with_items: ['test-php.local']
+      failed_when: p2.content.find('PHP Version') == -1
      when: nginx_php70
-# --------------------------------
+    # --------------------------------
-# Basic Auth
+    # Basic Auth
-# --------------------------------
+    # --------------------------------
    - name: -- VERIFY AUTH BASIC NONE --
-      command: "curl -H 'Host: test-htpasswd.local' http://127.0.0.1/hello/"
+      ansible.builtin.uri:
-      changed_when: false
+        url: "http://test-htpasswd.local/hello/"
-      register: authnone
+        status_code: 401
-      failed_when: authnone.stdout.find('401 Authorization Required') == -1
+
    - name: -- VERIFY AUTH BASIC FAIL --
-      command: "curl -u fail:fail -H 'Host: test-htpasswd.local' http://127.0.0.1/hello/"
+      ansible.builtin.uri:
-      changed_when: false
+        url: "http://test-htpasswd.local/hello/"
-      register: authfail
+        status_code: 401
-      failed_when: authfail.stdout.find('401 Authorization Required') == -1
+        user: "fail"
        password: "fail"
        force_basic_auth: true
    - name: -- VERIFY AUTH BASIC OK --
-      command: "curl -u hanx:qwerty -H 'Host: test-htpasswd.local' http://127.0.0.1/hello/"
+      ansible.builtin.uri:
-      changed_when: false
+        url: "http://test-htpasswd.local/hello/"
-      register: authok
+        user: "hanx"
-      failed_when: authok.stdout.find('hello') == -1
+        password: "qwerty"
        force_basic_auth: true
    - name: -- VERIFY AUTH BASIC FAIL GLOBAL --
-      command: "curl -u fail:fail -H 'Host: test-htpasswd-all.local' http://127.0.0.1/"
+      ansible.builtin.uri:
-      changed_when: false
+        url: "http://test-htpasswd-all.local/"
-      register: authgfail
+        status_code: 401
-      failed_when: authgfail.stdout.find('401 Authorization Required') == -1
+        user: "fail"
-    - name: -- VERIFY AUTH BASIC OK --
+        password: "fail"
-      command: "curl -u hanx:qwerty -H 'Host: test-htpasswd-all.local' http://127.0.0.1/"
+        force_basic_auth: true
      changed_when: false
      register: authgok
      failed_when: authgok.stdout.find('401 Authorization Required') != -1
-# --------------------------------
+    - name: -- VERIFY AUTH BASIC OK GLOBAL --
-# BackupPC
+      ansible.builtin.uri:
-# --------------------------------
+        url: "http://test-htpasswd-all.local/"
-    - name: -- VERIFY BACKUPPC --
+        user: "hanx"
-      command: "curl -u hanx:qwerty -H 'Host: backuppc.local' http://127.0.0.1/"
+        password: "qwerty"
-      changed_when: false
+        force_basic_auth: true
      register: authbpc
      failed_when: authbpc.stdout.find('BackupPC Server Status') == -1
      when: ansible_distribution != 'FreeBSD'
-# --------------------------------
+    # --------------------------------
-# Nagios
+    # SSL
-# --------------------------------
+    # --------------------------------
    - name: -- VERIFY NAGIOS3 PHP --
      command: "curl -u nagiosadmin:nagios -H 'Host: nagios3.local' http://127.0.0.1/side.php"
      changed_when: false
      register: nagios_php
      failed_when: nagios_php.stdout.find('Nagios Core') == -1
    - name: -- VERIFY NAGIOS3 CGI --
      command: "curl -u nagiosadmin:nagios -H 'Host: nagios3.local' http://127.0.0.1/cgi-bin{% if ansible_distribution == 'Debian' %}/nagios3{% endif %}/summary.cgi"
      changed_when: false
      register: nagios_cgi
      failed_when: nagios_cgi.stdout.find('Nagios Event Summary') == -1
 # --------------------------------
 # Owncloud
 # --------------------------------
 #    - block:
 #      - name: -- VERIFY OWNCLOUD --
 #        command: "curl -H 'Host: owncloud.local' http://127.0.0.1/"
 #        changed_when: false
 #        register: ownsimple
 #        failed_when: ownsimple.stdout.find('ownCloud') == -1
 #      - name: -- VERIFY OWNCLOUD JS (FROM PHP)--
 #        command: "curl -H 'Host: owncloud.local' http://127.0.0.1/index.php/core/js/oc.js"
 #        changed_when: false
 #        register: ownjsphp
 #        failed_when: ownjsphp.stdout.find('var oc_debug=false') == -1
 #      - name: -- VERIFY OWNCLOUD JS --
 #        command: "curl -H 'Host: owncloud.local' http://127.0.0.1/core/js/js.js"
 #        changed_when: false
 #        register: ownjs
 #        failed_when: ownjs.stdout.find('var oc_debug') == -1
 #      when: ansible_distribution != 'FreeBSD'
 # --------------------------------
 # SSL
 # --------------------------------
    - name: -- VERIFY SSL --
-      command: "curl --insecure -H 'Host: {{ item }}' https://127.0.0.1/"
+      ansible.builtin.uri:
-      changed_when: false
+        url: "https://{{ item }}/"
        return_content: true
        validate_certs: false
      register: sslok
-      failed_when: sslok.stdout.find('Index HTML test OK') == -1
+      failed_when: sslok.content.find('Index HTML test OK') == -1
-      with_items:
+      loop:
        - 'test-ssl-predeployed.local'
        - 'test-ssl-selfsigned.local'
        - 'test-ssl.local'
-    - name: -- VERIFY SSL REDIRECT --
+        - '{{ ngrok.stdout }}'
      command: "curl -v --insecure -H 'Host: {{ item }}' http://127.0.0.1/"
      changed_when: false
      register: sslredirok
      failed_when: >
        sslredirok.stderr.find('< Location') == -1 and
        sslredirok.stderr.find('https://{{ item }}/') == -1
      with_items:
        - 'test-ssl-redirect.local'
-# --------------------------------
+    - name: -- VERIFY SSL REDIRECT --
-# Default vhosts
+      ansible.builtin.uri:
-# --------------------------------
+        url: "http://{{ item.name }}/"
-    - name: -- VERIFY DEFAULT VHOST --
+        validate_certs: false
-      command: "curl -v http://127.0.0.1/"
+        status_code: 301
-      changed_when: false
+        return_content: true
        follow_redirects: none
      register: sslredirok
      failed_when: '"https://%s%s" % (item.name, ":" + item.port if item.port is defined else "") not in sslredirok.location'
      loop:
        - name: 'test-ssl-redirect.local'
        - name: 'test-ssl-redirect-many.local'
          port: '8443'
        - name: 'test-ssl-redirect-many2.local'
          port: '8443'
    # --------------------------------
    # Default sites
    # --------------------------------
    - name: -- VERIFY DEFAULT SITE --
      ansible.builtin.uri:
        url: 'http://127.0.0.1/'
        return_content: true
      register: vdefault
      failed_when: >
-        vdefault.stdout.find('Index HTML test OK') == -1 or
+        vdefault.content.find('Index HTML test OK') == -1 or
-        vdefault.stderr.find('X-ansible-default') == -1
+        vdefault.x_ansible_default is not defined
-    - name: -- VERIFY DEFAULT SSL VHOST --
+
-      command: "curl --insecure -v https://127.0.0.1/"
+    - name: -- VERIFY DEFAULT SITE + STUB STATUS--
-      changed_when: false
+      ansible.builtin.uri:
-      register: defaultssl
+        url: 'http://127.0.0.1/status'
-      failed_when: >
+        return_content: true
        defaultssl.stdout.find('Index HTML test OK') == -1 or
        defaultssl.stderr.find('X-ansible-default') == -1
    - name: -- VERIFY NOT DEFAULT VHOST --
      command: "curl -v -H 'Host: test-php.local' http://127.0.0.1/"
      changed_when: false
      register: vphp
      failed_when: vphp.stderr.find('X-ansible-default') != -1
    - name: -- VERIFY NOT DEFAULT SSL VHOST --
      command: "curl --insecure -v -H 'Host: test-ssl.local' https://127.0.0.1/"
      changed_when: false
      register: notdefaultssl
      failed_when: notdefaultssl.stderr.find('X-ansible-default') != -1
    - name: -- VERIFY DEFAULT VHOST + STUB_STATUS --
      command: "curl -v http://127.0.0.1/status"
      changed_when: false
      register: vdefault_status
      failed_when: >
-        vdefault_status.stderr.find('X-ansible-default') == -1 or
+        vdefault_status.content.find('Active connections') == -1 or
-        vdefault_status.stdout.find('Active connections') == -1
+        vdefault_status.x_ansible_default is not defined
-# --------------------------------
+    - name: -- VERIFY DEFAULT SSL SITE --
-# Check HTTP2
+      ansible.builtin.uri:
-# --------------------------------
+        url: 'https://127.0.0.1/'
-    - name: SHELL | Check HTTP2
+        return_content: true
-      shell: nghttp -nv https://localhost 2> /dev/null | grep -q h2
+        validate_certs: false
      register: vdefault
      failed_when: >
        vdefault.content.find('Index HTML test OK') == -1 or
        vdefault.x_ansible_default is not defined
    - name: -- VERIFY NOT DEFAULT SITE --
      ansible.builtin.uri:
        url: 'http://test-php.local/'
        return_content: true
      register: vphp
      failed_when: vphp.x_ansible_default is defined
    - name: -- VERIFY NOT DEFAULT SSL SITE --
      ansible.builtin.uri:
        url: 'https://test-ssl.local/'
        return_content: true
        validate_certs: false
      register: notdefaultssl
      failed_when: notdefaultssl.x_ansible_default is defined
    # --------------------------------
    # Check Proxy protocol
    # Note: Debian Stretch doesn't any version of curl with "--haproxy-protocol" argument
    # --------------------------------
    - block:
        - name: SHELL | Check HTTP proxy protocol
          ansible.builtin.shell: set -o pipefail && curl -I --haproxy-protocol http://test-ssl-proxy-protocol.local:20080 | grep -qi 'X-Proxy-Protocol'
          args:
-        executable: /bin/sh
+            executable: /bin/bash
            warn: false
          changed_when: false
        - name: SHELL | Check HTTPS proxy protocol
          ansible.builtin.shell: set -o pipefail && curl -I --haproxy-protocol -k https://test-ssl-proxy-protocol.local:20443 | grep -qi 'X-Proxy-Protocol'
          args:
            executable: /bin/bash
            warn: false
          changed_when: false
      when: not (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('9', 'eq'))
    # --------------------------------
    # Check HTTP2
    # --------------------------------
    - name: SHELL | Check HTTP2
      ansible.builtin.shell: set -o pipefail && nghttp -nv https://localhost 2> /dev/null | grep -q h2
      args:
        executable: /bin/bash
      changed_when: false
      when: nginx_auto_config_httpv2 and 'http_v2' in nginx_modules
--- a/tests/travis.sh
+++ b/tests/travis.sh
@@ -1,25 +0,0 @@
 #!/bin/sh
 # Thanks to https://servercheck.in/blog/testing-ansible-roles-travis-ci-github
 DIR=$( dirname $0 )
 PLAYBOOK="$DIR/test.yml"
 set -ev
 ANSIBLE_VARS="{ nginx_php56: $NGINX_PHP56, nginx_php70: $NGINX_PHP70, nginx_backports: $NGINX_BACKPORTS, dotdeb: $DOTDEB }"
 echo $ANSIBLE_VARS
 # Check syntax
 ansible-playbook -i localhost, -c local --syntax-check -vv $PLAYBOOK
 # Check role
 ansible-playbook -i localhost, -c local -e "$ANSIBLE_VARS" --sudo -vv $PLAYBOOK
 # Check indempotence
 ansible-playbook -i localhost, -c local -e "$ANSIBLE_VARS" --sudo -vv $PLAYBOOK \
 | grep -q 'changed=0.*failed=0' \
 && (echo 'Idempotence test: pass' && exit 0) \
 || (echo 'Idempotence test: fail' && exit 1)
--- a/vars/Debian.yml
+++ b/vars/Debian.yml
@@ -1,8 +1,5 @@
 ---
 nginx_events_use: 'epoll'
 nginx_pid: '/run/nginx.pid'
 nginx_etc_dir: '/etc/nginx'
 # Specific vhosts
 nginx_nagios_root: '/usr/share/nagios3/htdocs'
 nginx_nagios_stylesheets: '/etc/nagios3/stylesheets'
 nginx_fcgiwrap_sock: '/var/run/fcgiwrap.socket'
--- a/vars/FreeBSD.yml
+++ b/vars/FreeBSD.yml
@@ -1,7 +1,7 @@
 ---
 nginx_events_use: 'kqueue'
 nginx_pid: '/var/run/nginx.pid'
 nginx_etc_dir: '/usr/local/etc/nginx'
-# Specific vhosts
+nginx_acmesh_bin: '/usr/local/sbin/acme.sh'
 nginx_nagios_root: '/usr/local/www/nagios'
 nginx_fcgiwrap_sock: '/var/run/fcgiwrap/fcgiwrap.sock'
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -1,3 +1,5 @@
 ---
 nginx_upstream_server_params:
  - key: 'weight'
    default: 1
@@ -32,17 +34,19 @@ nginx_dirs:
  - dir: "{{ nginx_helper_dir }}"
    mode: "0755"
    owner: "root"
  - dir: "{{ nginx_etc_dir }}/modules-available"
    mode: "0755"
    owner: "root"
  - dir: "{{ nginx_etc_dir }}/modules-enabled"
    mode: "0755"
    owner: "root"
 nginx_templates_no_dir:
  - '_backuppc'
  - '_nagios3'
  - '_owncloud'
  - '_proxy'
 nginx_servers_default_headers:
  'X-Frame-Options': 'DENY always'
  'X-Content-Type-Options': 'nosniff always'
-  'X-XSS-Protection': '1; mode=block'
+  'X-XSS-Protection': '1; mode=block always'
-nginx_upstream_php56: 'php56'
+nginx_acmesh_bin: "{{ nginx_acmesh_dir }}/acme.sh"
 nginx_upstream_php70: 'php70'
Author	SHA1	Message	Date
Emilien Mantel	297dc1f669	Fix ansible lint	2021-09-03 12:19:32 +02:00
Emilien Mantel	5e2f988beb	Merge branch 'master' into debian_11	2021-09-03 12:08:30 +02:00
Emilien Mantel	6aea2bcb5f	Migrate to new TravisCI version	2021-09-01 12:05:07 +02:00
Emilien Mantel	8c6c4dc813	Fix Ansible Lint	2021-09-01 11:58:39 +02:00
Emilien Mantel	a2780d3d95	Fix Ansible Lint	2021-09-01 11:45:44 +02:00
Emilien Mantel	6c7e0c2a47	Fix yaml lint	2021-09-01 11:21:12 +02:00
Emilien Mantel	bdddb06fcc	Add Debian Bullseye (11) support	2021-09-01 11:07:54 +02:00
Emilien Mantel	6e5fce00e7	Drop Backuppc support	2021-09-01 11:06:02 +02:00
Emilien Mantel	8268eb266a	Fix no_log call crashes on Ansible 2.11	2021-09-01 11:02:45 +02:00
Emilien Mantel	8b73a835c6	Fix ngrok task to get hostname	2021-09-01 11:02:12 +02:00
Emilien Mantel	40ebe61c57	Add doc for custom site templates	2020-08-24 09:08:57 +02:00
Emilien Mantel	0f8688f290	Travis: don't install ansible buggy versions	2020-08-24 09:08:57 +02:00
Emilien Mantel	204e95725e	Manage custom templates for sites Issue #12 related	2020-08-24 09:08:57 +02:00
Emilien Mantel	da08953a27	Drop Backuppc support	2020-08-24 09:08:57 +02:00
Emilien Mantel	4c63efa588	Compat python3	2020-05-18 16:10:42 +02:00
Emilien Mantel	3e228d0812	Typofix	2020-02-04 13:08:48 +01:00
Emilien Mantel	1e7a0fc855	Change HSTS header per site or globally	2020-02-04 13:06:26 +01:00
Emilien Mantel	93b90c748f	Fix redirect_ssl cannot be a default_site	2020-02-04 11:31:21 +01:00
Emilien Mantel	d8f6088362	Fix SSL with multiple names	2020-02-04 11:07:21 +01:00
Emilien Mantel	8c3b1c7f13	Compat with python3	2020-01-01 22:56:08 +01:00
Emilien Mantel	5cdd1a8b37	Skip tests on proxy protocol on Debian Stretch	2019-12-31 13:16:42 +01:00
Emilien Mantel	0363a37e06	Changeis for proxy_protocol and apply default values	2019-12-31 13:07:13 +01:00
Emilien Mantel	a1e76453cf	DH length 4096 -> 2048	2019-12-31 12:46:02 +01:00
Emilien Mantel	729173c46c	Better SSL management - Use filter plugins - Acme: can use proxy protocol - Acme: uses all sites name - Acme: add more tests while crashing	2019-12-31 12:43:43 +01:00
Emilien Mantel	2f8ce00067	Add tests on proxy protocol	2019-12-30 17:43:18 +01:00
Emilien Mantel	9b286f9b96	Fix some issues: - "main_name" is name/name[0] not filename - improve some tests - better proxy protocol handling (not necessary to declare ports twice)	2019-12-30 17:28:34 +01:00
Emilien Mantel	4a2478a4fb	[WIP] Working on FreeBSD tests Replace ngrok by serveo.net?	2019-12-29 18:18:24 +01:00
Emilien Mantel	a9a72dd25f	Drop PHP version support (useless) + fix some bugs	2019-12-29 16:29:18 +01:00
Emilien Mantel	2a612a55b9	Ajout symfony template	2019-12-26 17:55:07 +01:00
Emilien Mantel	1280a441ee	Fix tests on Sury	2019-12-26 17:35:00 +01:00
Emilien Mantel	21edb6b584	Fix install role	2019-12-26 17:23:36 +01:00
Emilien Mantel	c524b97b0f	Use upstream config from HanXHX.php role	2019-12-26 17:16:13 +01:00
Emilien Mantel	993310641a	Fix "always" management in add_header directive	2019-08-20 10:35:51 +02:00
Emilien Mantel	f5885c5c55	Cache fonts	2019-08-07 21:11:00 +02:00
Emilien Mantel	bb5e00d6f5	Don't remove acme.sh keys if acme.sh fails	2019-05-03 14:16:23 +02:00
Emilien Mantel	cf010e4a4b	Reload nginx with acme.sh Sometimes fu****** systemd don't want you to restart nginx in a loop. I t crashes the role.	2019-04-30 16:45:14 +02:00
Emilien M	39d3f5f06a	Fix lints warnings (#40 ) * Add new filter plugins related to SSL * Ignore lint on few tasks	2019-04-26 13:29:06 +02:00
Emilien M	247f849b86	Remove obsolete code (php 5.6 support) (#41 ) Closes #39	2019-04-26 13:28:04 +02:00
Emilien Mantel	a03a656b18	Prevent crash on Docker+Buster	2019-04-25 16:14:43 +02:00
Emilien Mantel	1239219d90	Add buster to travis	2019-04-25 14:37:15 +02:00
Emilien Mantel	4f94fc2211	acme.sh fixes - fix acme.sh home directory - Clean crash when acme.sh fails (EXPERIMENTAL)	2019-04-25 13:59:19 +02:00
Emilien M	e89a154bb5	Support Debian Buster (#37 )	2019-04-23 09:28:00 +02:00
Emilien Mantel	c9bda9e95a	Force Python2.7 on travis	2019-04-19 14:38:47 +02:00
Emilien Mantel	4efc975770	Remove obsolete doc	2019-04-10 10:01:32 +02:00
Emilien M	20d04015c1	Remove newlines+tab on server_name. Bypass acme.sh limitations (#38 )	2019-03-20 19:37:55 +01:00
Emilien Mantel	98b0de9265	Fix tests	2019-02-21 18:32:38 +01:00
Emilien Mantel	95706359c8	Fix "override_try_files"	2019-02-20 17:08:56 +01:00
Emilien Mantel	1437619475	Manages locations before "/"	2019-02-20 15:13:25 +01:00
Emilien Mantel	7959182bf8	Remove legacy code	2019-02-20 15:06:59 +01:00
Emilien Mantel	5ed17149e5	Drop Jessie support	2019-02-13 14:40:03 +01:00
Emilien Mantel	91ca31e676	This role only works with Ansible 2.6+	2019-02-12 18:18:03 +01:00
Emilien Mantel	a021888728	Change DH file if length updated	2019-02-12 18:07:04 +01:00
Emilien Mantel	c12113921c	Fixes some warnings	2019-02-12 18:04:24 +01:00
Emilien Mantel	74b48fca2c	Update crypto helpers Fixes #36	2019-02-12 18:03:52 +01:00
Emilien Mantel	3642df1d5f	Some fixes	2019-02-08 16:59:01 +01:00
Emilien Mantel	c399bf35b5	Compat with modern ansible versions	2019-02-05 11:05:04 +01:00
Emilien M	8218e5c972	Fix deprecations (#35 ) * Drop Nagios support * Fix start PHP-FPM on Docker * Fix deprecations on Ansible 2.7 - with_ -> loop - fix filters as test - test version_compare -> version - set min_version to 2.5	2019-01-24 11:05:46 +01:00
Emilien Mantel	87c1c68949	Add Ansible 2.5 + 2.6 to travis	2018-10-03 14:09:20 +02:00
Emilien Mantel	817929beca	Add self-signed cert feature	2018-04-20 09:32:46 +02:00
Emilien Mantel	678dff9a1a	Tune vimrc (mouse is boring on stretch)	2018-04-20 09:20:39 +02:00
Emilien Mantel	3da65983bd	Fix acme create	2018-03-22 20:35:51 +01:00
Emilien Mantel	3fb8f092fb	Fake site + force IPv6	2018-03-22 20:30:10 +01:00
Emilien Mantel	19a85ca381	Autoconfigure ipv6 on fakesite	2018-03-22 19:48:41 +01:00
Emilien Mantel	2bab49221a	Autoconfigure IPv6 on each server	2018-03-22 19:47:30 +01:00
Emilien Mantel	6e877c070e	Configure nginx restart with acme.sh	2018-03-22 19:03:33 +01:00
Emilien Mantel	c165f88126	Manage multiple names with acme.sh	2018-03-22 18:43:44 +01:00
Emilien Mantel	59dd3997de	Acme uses light fake sites	2018-03-22 18:39:10 +01:00
Emilien Mantel	ae6dc88bc4	Delete current site when playing with acme.sh	2018-03-22 17:49:02 +01:00
Emilien Mantel	6719b415ab	Fix playbook crash whith acme and multiple domain	2018-03-22 17:47:53 +01:00
Emilien Mantel	fd21603a4d	Fix FreeBSD version for galaxy	2018-03-18 12:37:27 +01:00
Emilien Mantel	f52be2bbf3	Add FreeBSD in meta/main.yml	2018-03-17 14:52:14 +01:00
Emilien Mantel	a4aeec0a94	Drop check legacy nginx version	2018-03-17 14:08:48 +01:00
Emilien Mantel	713a2241de	Drop owncloud code	2018-03-17 14:04:48 +01:00
Emilien Mantel	6cae501266	Drop fastcgi_params supprort	2018-03-17 14:02:08 +01:00
Emilien Mantel	dd7834e8ce	Fix daemonize lock file (ngrok) It overwrited ngrok binary on Debian	2018-03-17 14:01:07 +01:00
Emilien Mantel	cb031c4014	Force shell for FreeBSD	2018-03-17 14:00:01 +01:00
Emilien Mantel	db97fe84f8	Add doc for FreeBSD	2018-03-17 12:54:57 +01:00
Emilien Mantel	c9629e385f	Working on FreeBSD 11/12	2018-03-17 12:24:19 +01:00
Emilien Mantel	5843d695b3	Manage FreeBSD 11	2018-03-16 21:56:15 +01:00
Emilien Mantel	8c7d581131	Fix php upstream with TCP socket	2018-03-16 18:53:53 +01:00
Emilien Mantel	0b85d81991	Better redirect management Fixes renew with letsencrypt (always redirect and never handle challenge)	2018-03-15 18:30:01 +01:00
Emilien Mantel	7fe08beb9a	Enable TLSv1.3 on nginx v1.13.0	2018-03-15 18:13:13 +01:00
Emilien Mantel	33ef161623	Ansible 2.4 must not fail now	2018-03-15 18:07:36 +01:00
Emilien Mantel	c2685732a4	Manages Ansible 2.4+ with Docker Closes #30	2018-03-15 18:06:38 +01:00
Emilien Mantel	737dfbeb30	Add debug mode	2018-03-15 16:10:37 +01:00
Emilien Mantel	def13392a7	Add Ansible 2.5 on travis	2018-03-15 12:56:12 +01:00
Emilien Mantel	6897f66344	redirect_from manages now https sites	2018-03-15 12:54:12 +01:00
Emilien Mantel	552999c782	Install modules on Debian 9+ or 8 with backports	2018-01-15 22:36:53 +01:00
Emilien Mantel	fe32f8d40a	Revert "minor fix" This reverts commit `5d46daaba8`.	2018-01-15 22:33:55 +01:00
Emilien Mantel	5d46daaba8	minor fix	2018-01-15 19:12:22 +01:00
Emilien Mantel	4ca8f9e319	Check nginx_version before install modules	2018-01-15 18:41:17 +01:00
Emilien Mantel	d3d9b5c296	Install modules OK	2017-12-14 20:06:29 +01:00
Emilien Mantel	45886ca9cc	Install modules just after nginx	2017-12-14 19:41:05 +01:00
Emilien Mantel	bb74ac804e	Donation	2017-12-09 17:05:02 +01:00
Emilien Mantel	2a5a1701f3	Try fix travis: php service not started	2017-12-07 12:40:16 +01:00
Emilien Mantel	a1866f806f	Fix test php_index2, fallback in /index.php	2017-12-07 11:14:19 +01:00
Emilien Mantel	0788b6c84f	Delete PHP upstream when nginx_php is empty Closes #31	2017-12-07 11:09:44 +01:00
Emilien Mantel	222998839c	Fix site.state == absent - Site is deleted now - Doc updated	2017-12-06 12:05:46 +01:00
Emilien Mantel	d00f3301e1	_php template, do not go to /index.php as fallback	2017-12-05 10:40:21 +01:00
Emilien Mantel	8f76b9c68c	acme.sh : no_log + fix check created	2017-12-03 02:15:48 +01:00
Emilien Mantel	8dca6c8404	Fix acme when acme_port is not defined	2017-12-03 02:08:32 +01:00
Emilien Mantel	a01f6cd5ea	Let's encript certificate with acme.sh	2017-12-03 01:32:56 +01:00
Emilien Mantel	609e4f013d	Fix crash when nginx_upstream is not set	2017-11-27 13:43:28 +01:00
Emilien Mantel	c79d370ad6	Add new site template: _php_index2	2017-11-27 13:34:03 +01:00
Emilien Mantel	45f800fe18	With Vagrant 2.* ansible.sudo -> ansible.become	2017-11-27 13:25:04 +01:00
Emilien Mantel	9fc4838b1b	Fix loop control	2017-11-03 11:06:57 +01:00
Emilien Mantel	3304934227	Add loop_control.label on site tasks	2017-11-03 10:56:18 +01:00
Emilien Mantel	57968b50c0	Restart nginx on SSL file writes	2017-11-03 10:30:24 +01:00
Emilien Mantel	8675d683ec	Tests with uri module (closes #25 )	2017-10-27 15:27:16 +02:00
Emilien Mantel	10bd837f54	Setup is now 'handled'	2017-10-26 15:50:59 +02:00
Emilien Mantel	332e28a9d7	YAML cleaning	2017-10-26 15:47:30 +02:00
Emilien Mantel	4b3b857733	Remove heavy code (nginx filename) using a filter	2017-10-26 15:33:00 +02:00
Emilien Mantel	608784ca55	Fix travis	2017-10-26 11:45:20 +02:00
Emilien Mantel	36652f4742	Move upstream templates to conf.d	2017-10-26 11:09:21 +02:00
Emilien Mantel	463ce45105	New PHP management - New versions (7.x) - PHP upstream name - Sites can use : default PHP version, select first one by PHP version, select by upstream name - Add PHP filter plugin	2017-10-26 11:04:38 +02:00
Emilien Mantel	70283ddcc6	Update .travis.yml Fix failures	2017-10-03 19:57:04 +02:00
Emilien Mantel	de40c07ac5	Better readability	2017-10-03 17:57:35 +02:00
Emilien Mantel	54dd1ef3c0	Remove legacy code	2017-10-03 17:38:06 +02:00
Emilien Mantel	cfe27ef245	Bypasses ansible 2.4.0.0 service issue On Ansible 2.4, it seems the service is not reloaded/restarted. This commit skips errors...	2017-10-03 17:35:35 +02:00
Emilien Mantel	6f098475e5	Remove useless vagrant boxes	2017-10-03 16:52:45 +02:00
Emilien Mantel	090875cbde	Travis changes - drop allow failure for stretch and ansible 2.3 - manages ansible 2.4	2017-09-26 09:44:52 +02:00
Emilien Mantel	b72263f7e5	Fix failures on travis	2017-07-27 14:56:43 +02:00
Emilien Mantel	4751eaa3c1	Add missing cont on Vagrant	2017-07-27 14:31:42 +02:00
Emilien Mantel	e83395271d	Fix tests for Debian Stretch - nagios is not available - curl can use HTTP2 (headers are lowercase) - bypass tests when htpasswd is empty (bypass issue #28)	2017-07-27 14:25:22 +02:00
Emilien Mantel	6935404939	Improve syntax readability	2017-07-27 12:21:10 +02:00
Emilien Mantel	acf8de8f87	Fix warning on when	2017-07-27 12:01:59 +02:00
Emilien Mantel	50e25d45b8	Elegent fail for htpasswd+stretch (#28 related)	2017-07-27 11:50:48 +02:00
Emilien Mantel	adf53b0d95	Fix redirect_to when filename is set	2017-07-25 17:00:34 +02:00
Emilien Mantel	4d819ac2a1	Add tags to ssl and site configuration	2017-07-19 15:57:41 +02:00
Emilien Mantel	af9fa6a2c3	Update stretch vagrant box (virtualbox)	2017-06-29 15:04:59 +02:00
Emilien Mantel	4486bddb19	Add blank lines, spaces... (readability)	2017-06-14 18:00:30 +02:00
Emilien Mantel	0b99a1c28e	Remove ansible 2.3 warnings - fixes #29	2017-06-14 17:54:48 +02:00
Emilien Mantel	d616657f12	travis: missing debian stretch + ansible 2.2	2017-06-09 09:48:24 +02:00
Emilien Mantel	eb0bdcad6f	Travis major changes: - Use Vagrant + Docker - Test multiple Ansible versions	2017-06-06 14:15:03 +02:00
Emilien Mantel	3ae791ec47	Role can be fully called in check mode	2017-06-01 11:38:22 +02:00
Emilien Mantel	cbdfc741ba	Renaming variables vhost -> site Vhost is an Apache configuration, not Nginx. Manages backward compatibility.	2017-04-25 12:27:08 +02:00
Emilien Mantel	a60e81cc1f	fix redirect https : show port only if not 443	2017-04-13 15:16:53 +02:00
Emilien Mantel	f1af8991fd	Bug fix : redirect https with many names On a multiple name vhost with redirect_https, redirection is done with the origin name not the main name.	2017-04-13 14:21:14 +02:00
Emilien Mantel	fcb59fd331	no_log when deleting htpasswd files	2017-03-14 11:21:35 +01:00
Emilien Mantel	2aa9e8b6b9	load modules uses pattern *.conf	2017-03-13 10:19:07 +01:00
Emilien Mantel	7892626fc0	Load module from {{nginx_dir}}/etc/modules-enabled	2017-03-13 09:53:29 +01:00