radityo/ansible-nginx
1
0
Fork 0
mirror of https://github.com/HanXHX/ansible-nginx.git synced 2026-02-28 09:22:10 +07:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: radityo:1.9.1
Branches Tags
radityo:master radityo:modernize radityo:feature/add_main_opts radityo:debian_11 radityo:py3
radityo:1.11.0 radityo:1.10.0 radityo:1.9.1 radityo:1.9.0 radityo:1.8.1 radityo:1.8.0 radityo:1.7.0 radityo:1.6.3 radityo:1.6.2 radityo:1.6.1 radityo:1.6.0 radityo:1.5.1 radityo:1.5.0 radityo:1.4.2 radityo:1.4.1 radityo:1.4.0 radityo:1.3.6 radityo:1.3.5 radityo:1.3.4 radityo:1.3.3 radityo:1.3.2 radityo:1.3.1 radityo:1.3.0 radityo:1.2.1 radityo:1.2.0 radityo:1.1.0-1 radityo:1.1.0 radityo:1.0.9 radityo:1.0.8-1 radityo:1.0.8 radityo:1.0.7 radityo:1.0.6 radityo:1.0.5 radityo:1.0.4 radityo:1.0.3 radityo:1.0.2 radityo:1.0.1 radityo:1.0.0
..
compare: radityo:6891b29c94af2dff6c919f26bbc7d97616c63884
Branches Tags
radityo:master radityo:modernize radityo:feature/add_main_opts radityo:debian_11 radityo:py3
radityo:1.11.0 radityo:1.10.0 radityo:1.9.1 radityo:1.9.0 radityo:1.8.1 radityo:1.8.0 radityo:1.7.0 radityo:1.6.3 radityo:1.6.2 radityo:1.6.1 radityo:1.6.0 radityo:1.5.1 radityo:1.5.0 radityo:1.4.2 radityo:1.4.1 radityo:1.4.0 radityo:1.3.6 radityo:1.3.5 radityo:1.3.4 radityo:1.3.3 radityo:1.3.2 radityo:1.3.1 radityo:1.3.0 radityo:1.2.1 radityo:1.2.0 radityo:1.1.0-1 radityo:1.1.0 radityo:1.0.9 radityo:1.0.8-1 radityo:1.0.8 radityo:1.0.7 radityo:1.0.6 radityo:1.0.5 radityo:1.0.4 radityo:1.0.3 radityo:1.0.2 radityo:1.0.1 radityo:1.0.0

28 Commits
1.9.1 ... 6891b29c94

Author SHA1 Message Date
Emilien Mantel
6891b29c94 🔥 Drop Debian 10 support 2025-06-02 17:45:15 +02:00
Emilien Mantel
b1997d56c6 🔧 Bypass namespace name in Galaxy 2025-06-02 17:42:47 +02:00
Emilien M
9983636f37 Merge pull request #45 from HanXHX/modernize 
Modernize
 2025-06-02 15:55:47 +02:00
Emilien Mantel
da4e9dfc4f 🎨 Fix imports in Ansible Galaxy 2025-06-02 13:08:49 +02:00
Emilien Mantel
bf37be22f7 🚀 Support Ubuntu 24.04 + Debian 13 2025-06-02 11:00:11 +02:00
Emilien Mantel
277cf7fe74 👷 Change ansible-lint in CI 2025-06-02 10:50:12 +02:00
Emilien Mantel
40d14922b9 📝 Update docs 2025-06-02 10:43:10 +02:00
Emilien Mantel
8ec630284a 🔥 Drop legacy test suite 2025-06-02 10:42:54 +02:00
Emilien Mantel
1aaf0351b4 🔥 Drop FreeBSD support 2025-06-02 10:35:34 +02:00
Emilien Mantel
9a52e83315 ⚗️ Modernize role 
- Drop ngrok support
- Do not link legacy tests files
 2025-06-02 10:30:32 +02:00
Emilien Mantel
591f2c6bcb 🔨 Modernize lint config 2025-05-28 17:56:58 +02:00
Emilien Mantel
a5325d7d54 🔥 Drop Ubuntu 18.04 support and hack CI 2023-05-31 12:10:40 +02:00
Emilien Mantel
c61fb86cc0 💚 Allow CI job Ubuntu 20.04 to fail 2023-05-31 12:10:40 +02:00
Emilien Mantel
c2e0fc241f ✏️ Fix doc typo 2023-05-31 12:10:40 +02:00
Emilien Mantel
1debe40739 💚 Fix Ubuntu 20.04 build 
- Prevent segfault on nginx-extra package
 2023-05-31 12:10:40 +02:00
Emilien Mantel
c9e1aa2848 Skip checks for Ubuntu 18.04 
Curl does not manage proxy protocol...
 2023-05-31 12:10:40 +02:00
Emilien Mantel
0fd16bdd1e 🚀 Manage Ubuntu 2023-05-31 12:10:40 +02:00
Emilien Mantel
424160f9d4 🐛 Fix load vars for Debian based OS 2023-05-31 12:10:40 +02:00
Emilien Mantel
6abee22d23 Add missing collection dependencies 2023-05-31 12:10:40 +02:00
Emilien Mantel
3b3f1cb3e0 🔥 Remove useless code 2023-05-31 12:10:40 +02:00
Emilien Mantel
955857ac4f 📝 Add github action badge 2023-05-31 12:10:40 +02:00
Emilien Mantel
170046480a 🔥 Remove TravisCI 2023-05-31 12:10:40 +02:00
Emilien Mantel
c8344201a8 Add Debian 12 and CI 2023-05-31 12:10:40 +02:00
Emilien Mantel
c552dd3642 🚀 Add core options 2023-05-31 12:10:40 +02:00
Emilien Mantel
d262ddd79e 🚨 Fix linter 2023-05-31 12:10:40 +02:00
Emilien Mantel
257437731a 🔒 Modernize TLS helpers 2023-05-31 12:10:40 +02:00
Emilien Mantel
3b69a4f700 🙈 Ignore pycharm files 2023-05-31 12:10:40 +02:00
Emilien Mantel
9f727adcb5 Fix linter 2022-11-25 10:11:19 +01:00
59 changed files with 842 additions and 936 deletions
Expand all files Collapse all files

4
.ansible-lint
View File

@@ -1,4 +0,0 @@
---
enable_list:
- fqcn-builtins

14
.config/ansible-lint.yml Normal file
View File

@@ -0,0 +1,14 @@
---
profile: production
warn_list:
- role-name
- schema[meta]
skip_list: []
exclude_paths:
- .github/
- .venv/
- venv/

17
.github/workflows/ansible_galaxy.yml vendored Normal file
View File

@@ -0,0 +1,17 @@
---
name: Deploy on Ansible Galaxy
'on':
- push
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: checkout
uses: actions/checkout@v2
- name: galaxy
uses: robertdebock/galaxy-action@1.2.0
with:
galaxy_api_key: ${{ secrets.galaxy_api_key }}

39
.github/workflows/ci.yml vendored Normal file
View File

@@ -0,0 +1,39 @@
---
name: ci
'on':
pull_request:
push:
branches:
- master
jobs:
yaml-lint:
name: YAML Lint
runs-on: ubuntu-latest
steps:
- name: Fetch code
uses: actions/checkout@v3
- name: Set up Python 3.
uses: actions/setup-python@v2
with:
python-version: '3.x'
- name: Install test dependencies.
run: pip3 install yamllint
- name: Lint code.
run: |
yamllint .
ansible-lint:
name: Ansible Lint
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
- name: Run ansible-lint
uses: ansible/ansible-lint@main

43
.github/workflows/molecule.yml vendored Normal file
View File

@@ -0,0 +1,43 @@
---
name: Molecule
'on':
pull_request:
push:
branches:
- master
jobs:
build:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
scenario:
- debian-11
- debian-12
- ubuntu-20.04
- ubuntu-22.04
- ubuntu-24.04
allowed-to-fail:
- false
include:
- scenario: debian-13
allowed-to-fail: true
steps:
- name: Checkout
uses: actions/checkout@v3
with:
path: "${{ github.repository }}"
- name: Molecule
uses: gofrolist/molecule-action@v2.7.62
with:
molecule_options: --base-config molecule/_shared/base.yml
molecule_args: --scenario-name ${{ matrix.scenario }}
continue-on-error: ${{ matrix.allowed-to-fail }}
- name: Fake command
run: echo "End of job"

6
.gitignore vendored
View File

@@ -2,4 +2,8 @@
*.swp
*.retry
*.pyc
/tests/HanXHX.php
/tests/hanxhx.php
/.idea
/.venv
/venv
/.ansible

51
.travis.yml
View File

@@ -1,51 +0,0 @@
---
env:
global:
- VAGRANT_VERSION='2.2.18'
jobs:
- PLATFORM='docker-debian-bullseye' ANSIBLE_VERSION='>=2.11,<2.12'
- PLATFORM='docker-debian-buster' ANSIBLE_VERSION='>=2.11,<2.12'
os:
- linux
dist: focal
language: python
python:
- 3.8
services:
- docker
before_install:
- sudo apt-get -q update
- sudo apt-get install -y yamllint
- sudo wget -nv https://releases.hashicorp.com/vagrant/${VAGRANT_VERSION}/vagrant_${VAGRANT_VERSION}_x86_64.deb
- sudo dpkg -i vagrant_${VAGRANT_VERSION}_x86_64.deb
install:
- sudo pip install "ansible-core$ANSIBLE_VERSION"
- sudo pip install ansible-lint
- ansible-galaxy collection install community.general
- ansible-galaxy install -p ./tests HanXHX.php
script:
- VAGRANT_DEFAULT_PROVIDER=docker vagrant up $PLATFORM
- >
VAGRANT_DEFAULT_PROVIDER=docker vagrant provision $PLATFORM
| grep -q 'changed=0.*failed=0'
&& (echo 'Idempotence test: pass' && exit 0)
|| (echo 'Idempotence test: fail' && exit 1)
- VAGRANT_DEFAULT_PROVIDER=docker vagrant status
- >
yamllint .
&& (echo 'YAML lint test: pass' && exit 0)
|| (echo 'YAML lint test: fail' && exit 1)
- >
ansible-lint -v tests/test.yml
&& (echo 'Ansible lint test: pass' && exit 0)
|| (echo 'Ansible lint test: fail' && exit 1)
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

2
.yamllint.yml
View File

@@ -4,3 +4,5 @@ extends: default
rules:
line-length: disable
ignore-from-file: .gitignore

55
README.md
View File

@@ -1,9 +1,9 @@
Nginx for Debian/FreeBSD Ansible role
Nginx for Debian/Ubuntu Ansible role
=====================================
[![Ansible Galaxy](http://img.shields.io/badge/ansible--galaxy-HanXHX.nginx-blue.svg)](https://galaxy.ansible.com/HanXHX/nginx/) [![Build Status](https://app.travis-ci.com/HanXHX/ansible-nginx.svg?branch=master)](https://app.travis-ci.com/HanXHX/ansible-nginx)
[![Ansible Galaxy](http://img.shields.io/badge/ansible--galaxy-HanXHX.nginx-blue.svg)](https://galaxy.ansible.com/HanXHX/nginx/) ![GitHub Workflow Status (master branch)](https://img.shields.io/github/actions/workflow/status/hanxhx/ansible-nginx/molecule.yml?branch=master)
Install and configure Nginx on Debian/FreeBSD.
Install and configure Nginx on Debian/Ubuntu.
Features:
@@ -20,14 +20,17 @@ Features:
Supported OS:
| OS | Working | Stable (active support) |
| -------------------- | ------- | ----------------------- |
| Debian Jessie (8) | Yes | Check latest supported version ([1.5.0](https://github.com/HanXHX/ansible-nginx/releases/tag/1.5.0)) |
| Debian Stretch (9) | Yes | Check latest supported version ([1.9.0](https://github.com/HanXHX/ansible-nginx/releases/tag/1.9.0)) |
| Debian Buster (10) | Yes | Yes |
| Debian Bullseye (11) | Yes | Yes |
| FreeBSD 11 | Yes | No |
| FreeBSD 12 | Yes | No |
| OS | Working | Stable (active support) |
|----------------------|---------|--------------------------------------------------------------------------------------------------------|
| Debian Jessie (8) | Yes | Check latest supported version ([1.5.0](https://github.com/HanXHX/ansible-nginx/releases/tag/1.5.0)) |
| Debian Stretch (9) | Yes | Check latest supported version ([1.9.0](https://github.com/HanXHX/ansible-nginx/releases/tag/1.9.0)) |
| Debian Buster (10) | Yes | Check latest supported version ([1.10.0](https://github.com/HanXHX/ansible-nginx/releases/tag/1.10.0)) |
| Debian Bullseye (11) | Yes | Yes |
| Debian Bookworm (12) | Yes | Yes |
| Debian Trixie (13) | WIP | Not yet |
| Ubuntu 20.04 | Yes | Yes |
| Ubuntu 22.04 | Yes | Yes |
| Ubuntu 24.04 | Yes | Yes |
Requirements
------------
@@ -45,10 +48,6 @@ Debian:
- `nginx_apt_package`: APT nginx package (try: apt-cache search ^nginx)
- `nginx_backports`: Install nginx from backport repository (bool)
FreeBSD:
- `nginx_pkgng_package`: PKGNG nginx package (should be "nginx" or "nginx-devel")
### Shared
- `nginx_root`: root directory where you want to have your files
@@ -66,9 +65,9 @@ FreeBSD:
- `nginx_pid`: daemon pid file
- `nginx_events_*`: all variables in events block
- `nginx_http_*`: all variables in http block
- `nginx_custom_core`: instructions list (for core, will put data in `/etc/nginx/nginx.conf`)
- `nginx_custom_http`: instructions list (will put data in `/etc/nginx/conf.d/custom.conf`)
- `nginx_module_packages`: package list module to install (Debian)
- `nginx_load_modules`: module list to load (full path), should be used only on FreeBSD
### Misc
@@ -92,35 +91,29 @@ Fine configuration
[Basic Auth](doc/auth.md)
[FreeBSD](doc/freebsd.md)
[acme.sh](doc/acme.md)
Note
----
- Active support for Debian.
- FreeBSD support is experimental (no Travis). I only test (for the moment) 10.2 (but it can work on other versions).
- Active support for Debian/Ubuntu.
Dependencies
------------
None
See: [requirements.yml](requirements.yml).
If you need to dev this role locally
------------------------------------
If you need to dev this role locally with molecule
--------------------------------------------------
Before use vagrant, run once:
Check available scenarios in [molecule](molecule) directory.
With `debian-12` scenario:
```commandline
molecule -v -c molecule/_shared/base.yml verify -s debian-12
```
ansible-galaxy install -p ./tests/ HanXHX.php,master
```
Example Playbook
----------------
See [tests/test.yml](tests/test.yml).
License
-------

87
Vagrantfile vendored
View File

@@ -1,87 +0,0 @@
# -*- mode: ruby -*-
# vi: set ft=ruby :
# vi: set tabstop=2 :
# vi: set shiftwidth=2 :
Vagrant.configure("2") do |config|
vms_debian = [
{ :name => "debian-buster", :box => "debian/buster64", :vars => {} },
{ :name => "debian-bullseye", :box => "debian/bullseye64", :vars => {} }
]
vms_freebsd = [
{ :name => "freebsd-11", :box => "freebsd/FreeBSD-11.3-STABLE", :vars => {} },
{ :name => "freebsd-12", :box => "freebsd/FreeBSD-12.1-STABLE", :vars => {} }
]
conts = [
{ :name => "docker-debian-buster", :docker => "hanxhx/vagrant-ansible:debian10", :vars => {} },
{ :name => "docker-debian-bullseye", :docker => "hanxhx/vagrant-ansible:debian11", :vars => {} },
]
config.vm.network "private_network", type: "dhcp"
config.vm.synced_folder ".", "/vagrant", id: "vagrant-root", disabled: true
conts.each do |opts|
config.vm.define opts[:name] do |m|
m.vm.provider "docker" do |d|
d.image = opts[:docker]
d.remains_running = true
d.has_ssh = true
end
if opts[:name].include? "bullseye"
m.vm.provision "shell", inline: "[ -f '/root/first_provision' ] || (apt-get update -qq && apt-get -y dist-upgrade && touch /root/first_provision)"
end
m.vm.provision "ansible" do |ansible|
ansible.playbook = "tests/test.yml"
ansible.verbose = 'vv'
ansible.become = true
ansible.extra_vars = opts[:vars].merge({ "nginx_debug_role": true, is_docker: true })
end
end
end
vms_debian.each do |opts|
config.vm.define opts[:name] do |m|
m.vm.box = opts[:box]
m.vm.provider "virtualbox" do |v|
v.cpus = 1
v.memory = 256
end
if opts[:name].include? "bullseye"
m.vm.provision "shell", inline: "[ -f '/root/first_provision' ] || (apt-get update -qq && apt-get -y dist-upgrade && touch /root/first_provision)"
end
m.vm.provision "ansible" do |ansible|
ansible.playbook = "tests/test.yml"
ansible.verbose = 'vv'
ansible.become = true
ansible.extra_vars = opts[:vars].merge({ "nginx_debug_role": true })
end
end
end
vms_freebsd.each do |opts|
config.vm.base_mac = "080027D14C66"
config.vm.define opts[:name] do |m|
m.vm.box = opts[:box]
m.vm.provider "virtualbox" do |v, override|
override.ssh.shell = "csh"
v.cpus = 2
v.memory = 512
end
m.vm.provision "shell", inline: "[ -e /usr/local/bin/bash ] || pkg install -y python bash"
m.vm.provision "ansible" do |ansible|
ansible.playbook = "tests/test.yml"
ansible.verbose = 'vv'
ansible.become = true
ansible.extra_vars = opts[:vars].merge({ "nginx_debug_role": true, "ansible_python_interpreter": '/usr/local/bin/python' })
end
end
end
end

5
defaults/main.yml
View File

@@ -3,8 +3,6 @@
# Debian
nginx_apt_package: nginx-full
nginx_backports: false
# FreeBSD
nginx_pkgng_package: nginx
#
# Nginx shared variables
@@ -26,7 +24,7 @@ nginx_default_hsts: 'max-age=63072000; includeSubDomains'
#
nginx_htpasswd_dir: '{{ nginx_etc_dir }}/htpasswd'
nginx_ssl_dir: '{{ nginx_etc_dir }}/ssl'
nginx_helper_dir: '{{ nginx_etc_dir}}/helper'
nginx_helper_dir: '{{ nginx_etc_dir }}/helper'
#
# Load upstream
@@ -84,6 +82,7 @@ nginx_http_gzip_disable: '"msie6"'
# Custom global configuration
#
nginx_custom_http: []
nginx_custom_core: []
#
# Nginx default

4
doc/auth.md
View File

@@ -20,12 +20,12 @@ Example
```yaml
nginx_sites:
# htpasswd on all site
# htpasswd on all site
- name: test.local
htpasswd: 'hello'
template: '_base'
# htpasswd only in /hello
# htpasswd only in /hello
- name: test-location.local
template: '_base'
location:

12
doc/freebsd.md
View File

@@ -1,12 +0,0 @@
Freebsd
=======
Limitations
-----------
Due to Ansible + FreeBSD limitations (`ansible_processor_vcpus`), You must explicitely set `nginx_worker_processes`.
About modules
-------------
Dynamic modules must be set with full path (see `nginx_load_modules` path).

10
doc/site.md
View File

@@ -1,7 +1,7 @@
Site management
===============
You can see many examples in: [tests/test.yml](../tests/test.yml).
You can see many examples in: [molecule/_shared/group_vars/all/main.yml](../molecule/_shared/group_vars/all/main.yml).
`nginx_sites`: List of dict. A site has few keys. See bellow.
@@ -34,7 +34,7 @@ Pre-built site config
- `redirect_to_code`: Redirect code (default: 302)
- `redirect_https`: (O) Boolean. Redirect HTTP to HTTPS. If "true", you _MUST_ set `proto` to `['https']`.
- `location`: (O) Add new custom locations (it does not overwrite!)
- `location_order`: (O) Due to non preditive `location` order, you can provide the good order (see test-location.local in [tests/test.yml](../tests/test.yml)).
- `location_order`: (O) Due to non preditive `location` order, you can provide the good order (see test-location.local in [molecule/_shared/group_vars/all/main.yml](../molecule/_shared/group_vars/all/main.yml)).
- `location_before`: (O) Add new custom locations before generated location by template
- `location_order_before`: (O) Manages location order for `location_before`
- `more`: (O) Add more custom infos.
@@ -87,7 +87,7 @@ You can manage default site by setting domain name to these variables.
```yaml
- nginx_sites:
nginx_sites:
- name: 'mywebsite.com'
template: '_wordpress'
headers:
@@ -108,7 +108,7 @@ You can add some extra infos if needed.
### Example:
```yaml
- nginx_sites:
nginx_sites:
- name: 'mycustom-website.com'
custom_template: 'my/template_dir/the-template.conf.j2'
allow_admin: '192.168.0.0/24'
@@ -137,5 +137,3 @@ server {
}
}
```

12
doc/ssl.md
View File

@@ -8,7 +8,7 @@ Variables
- `nginx_dh`: DH content
- `nginx_dh_length`: DH key length (default is 2048)
- `nginx_dh_path`: file localation
- `nginx_dh_path`: file location
- `nginx_ssl_dir`: directory where you install your SSL/TLS keys
- `nginx_ssl_pairs`
@@ -20,7 +20,7 @@ Note: `name` is used to deploy key/cert. With defaults values dans `name` = "foo
### Content mode
Key/Cert content is stored in variable. Usefull with vault.
Key/Cert content is stored in variable. Useful with vault.
- `key`: content of the private key
- `cert`: content of the public key
@@ -32,11 +32,11 @@ You can use these variables if you use another task/role to manages your certifi
- `dest_cert`: remote path where certificate is located
- `dest_key`: remote path where key is located
### Self signed
### Self-signed
Create a self-signed pair and deploy it. Do not use this feature in production.
- `self_signed`: set true to use this featrure
- `self_signed`: set true to use this feature
- `force`: optional feature (default: false), force regen pair (not idempotent)
### Acme
@@ -45,7 +45,7 @@ Uses acme.sh to create free certificates. It uses HTTP-01 challenge. Use this fe
- `acme`: set true to use this feature. It uses `name` (can be a string or string list).
Have a look to [acme configuratuion](acme.md configuration).
Have a look to [acme configuration](acme.md).
Tips
----
@@ -61,7 +61,7 @@ Example
-------
```yaml
nginx_sites;
nginx_sites:
- name: 'test-ssl.local'
proto: ['http', 'https']
template: '_base'

38
handlers/main.yml
View File

@@ -1,46 +1,14 @@
---
- name: reload nginx
ansible.builtin.command: nginx -t
notify:
- real-reload nginx
- docker reload nginx
- name: restart nginx
ansible.builtin.command: nginx -t
notify:
- real-restart nginx
- docker restart nginx
- name: real-reload nginx
- name: Reload nginx
ansible.builtin.service:
name: nginx
state: reloaded
when: ansible_virtualization_type != 'docker'
- name: real-restart nginx
- name: Restart nginx
ansible.builtin.service:
name: nginx
state: restarted
when: ansible_virtualization_type != 'docker'
- name: docker reload nginx
ansible.builtin.command: service nginx reload
args:
warn: false
when: ansible_virtualization_type == 'docker'
- name: docker restart nginx
ansible.builtin.command: service nginx restart
args:
warn: false
when: ansible_virtualization_type == 'docker'
- name: restart nginx freebsd
ansible.builtin.service:
name: nginx
state: restarted
when: ansible_distribution == "FreeBSD"
- name: setup
- name: Setup
ansible.builtin.setup:

16
meta/main.yml
View File

@@ -2,22 +2,22 @@
galaxy_info:
author: Emilien Mantel
namespace: hanxhx
namespace: HanXHX
role_name: nginx
description: Nginx for Debian / FreeBSD
company:
description: Nginx for Debian / Ubuntu
company: TripleStack
license: GPLv2
min_ansible_version: 2.11
min_ansible_version: '2.11'
platforms:
- name: Debian
versions:
- buster
- bullseye
- name: FreeBSD
- bookworm
- name: Ubuntu
versions:
- 11.0
- 11.1
- 12.0
- focal
- jammy
galaxy_tags:
- web
- debian

19
molecule/_shared/Dockerfile.j2 Normal file
View File

@@ -0,0 +1,19 @@
# Molecule managed
{% if item.registry is defined %}
FROM {{ item.registry.url }}/{{ item.image }}
{% else %}
FROM {{ item.image }}
{% endif %}
{% if item.env is defined %}
{% for var, value in item.env.items() %}
{% if value %}
ENV {{ var }} {{ value }}
{% endif %}
{% endfor %}
{% endif %}
RUN apt-get update && \
apt-get install -y python3 sudo bash ca-certificates iproute2 python-apt-common \
&& apt-get clean

42
molecule/_shared/base.yml Normal file
View File

@@ -0,0 +1,42 @@
---
scenario:
test_sequence:
- dependency
- syntax
- create
- prepare
- converge
- idempotence
- verify
- destroy
dependency:
name: galaxy
options:
requirements-file: ./molecule/_shared/requirements.yml
role-file: ./molecule/_shared/requirements.yml
driver:
name: docker
role_name_check: 1
provisioner:
name: ansible
env:
ANSIBLE_FILTER_PLUGINS: "../../filter_plugins"
config_options:
defaults:
deprecation_warnings: false
callback_whitelist: timer,profile_tasks
fact_caching: jsonfile
fact_caching_connection: ./cache
forks: 100
connection:
pipelining: true
playbooks:
converge: ../_shared/converge.yml
prepare: ../_shared/prepare.yml
verify: ../_shared/verify.yml
inventory:
links:
group_vars: ../_shared/group_vars
verifier:
name: ansible

9
molecule/_shared/converge.yml Normal file
View File

@@ -0,0 +1,9 @@
---
- name: Converge # noqa: role-name[path]
hosts: all
gather_facts: true
vars:
nginx_debug_role: true
roles:
- ../../../

0
tests/file/test.crt → molecule/_shared/file/test.crt
View File

0
tests/file/test.key → molecule/_shared/file/test.key
View File

32
tests/group_vars/all.yml → molecule/_shared/group_vars/all/main.yml
View File

@@ -3,9 +3,11 @@
# Internal vars
int_ansible_ssl_dir: '/etc/ansible-ssl'
# Role vars
nginx_worker_processes: 1 # Ansible+FreeBSD can't detect CPU number
nginx_worker_processes: 1 # Ansible can't detect CPU count
nginx_apt_package: 'nginx-extras'
nginx_module_packages: ['libnginx-mod-http-headers-more-filter']
nginx_custom_core:
- 'worker_rlimit_nofile 4242;'
nginx_upstreams:
- name: 'test'
@@ -40,8 +42,6 @@ nginx_acmesh: true
nginx_acmesh_test: true
nginx_ssl_pairs:
- name: '{{ ngrok.stdout }}'
acme: true
- name: 'test-ssl-selfsigned.local'
self_signed: true
force: false
@@ -102,7 +102,7 @@ nginx_ssl_pairs:
nginx_custom_http:
- 'add_header X-ansible 1;'
- 'geoip_country {% if ansible_distribution == "Debian" %}/usr/share/GeoIP/GeoIP.dat{% else %}/usr/local/share/GeoIP/GeoIP.dat{% endif %};'
- 'geoip_country {% if ansible_os_family == "Debian" %}/usr/share/GeoIP/GeoIP.dat{% else %}/usr/local/share/GeoIP/GeoIP.dat{% endif %};'
- 'map $geoip_country_code $allowed_country {'
- ' default yes;'
- ' MA no;'
@@ -234,17 +234,17 @@ nginx_sites:
ssl_name: 'test-ssl.local'
headers:
'X-Proxy-Protocol': '1'
- name: '{{ ngrok.stdout }}'
proto: ['http', 'https']
listen_proxy_protocol: [21080]
listen_proxy_protocol_ssl: [21443]
template: '_base'
ssl_name: '{{ ngrok.stdout }}'
headers:
'X-acme': '1'
- name: 'test-custom-template.local'
custom_template: 'templates/custom_template.conf.j2'
root: '/tmp/custom-template'
# - name: '{{ ngrok.stdout }}'
# proto: ['http', 'https']
# listen_proxy_protocol: [21080]
# listen_proxy_protocol_ssl: [21443]
# template: '_base'
# ssl_name: '{{ ngrok.stdout }}'
# headers:
# 'X-acme': '1'
# - name: 'test-custom-template.local'
# custom_template: 'templates/custom_template.conf.j2'
# root: '/tmp/custom-template'
nginx_php: "{{ [{'upstream_name': 'manual', 'sockets': [{'host': '127.0.0.1', 'port': '9636' }] }] }}"
nginx_php: "{{ [{'upstream_name': 'manual', 'sockets': [{'host': '127.0.0.1', 'port': '9636'}]}] }}"
nginx_dh_length: 1024

109
molecule/_shared/prepare.yml Normal file
View File

@@ -0,0 +1,109 @@
---
- name: Prepare
hosts: all
gather_facts: true
tasks:
- name: APT_REPOSITORY | Install backports
ansible.builtin.apt_repository:
repo: 'deb http://httpredir.debian.org/debian {{ ansible_distribution_release }}-backports main'
state: present
when: nginx_backports is defined and nginx_backports
- name: APT | Install needed packages
ansible.builtin.apt:
pkg: "{{ packages }}"
update_cache: true
cache_valid_time: 3600
state: present
vars:
packages:
- cron
- curl
- daemonize
- jq
- nghttp2
- strace
- vim
- unzip
- name: APT | Install PHP
ansible.builtin.apt:
pkg: "{{ pkgs }}"
update_cache: true
cache_valid_time: 3600
state: present
vars:
pkgs:
- php-cli
- php-fpm
- name: SHELL | Get current PHP version # noqa: risky-shell-pipe
ansible.builtin.shell: php --version | awk '/^PHP/ { print $2 }' | grep -o -E '^.{3}'
changed_when: false
register: cur_php_version
- name: SERVICE | Ensure PHP-FPM is started
ansible.builtin.service:
name: "php{{ cur_php_version.stdout }}-fpm"
state: started
- name: USER | Create PHP User foo
ansible.builtin.user:
name: foo
system: true
- name: INCLUDE_ROLE | hanxhx.php
ansible.builtin.include_role:
name: "hanxhx.php"
vars:
php_version: "{{ cur_php_version.stdout }}"
php_autoremove_default_pool: false
php_fpm_poold:
- name: 'hx_unix'
user: 'foo'
php_value:
display_errors: 'Off'
php_admin_value:
memory_limit: '98M'
- name: 'hx_ip'
listen: '127.0.0.1:9636'
- name: FILE | Create an internal SSL dir
ansible.builtin.file:
path: "{{ int_ansible_ssl_dir }}"
state: directory
mode: "0750"
owner: root
group: root
- name: COPY | Deploy test cert/key
ansible.builtin.copy:
src: "file/{{ item }}"
dest: "{{ int_ansible_ssl_dir }}/{{ item }}"
mode: "0640"
owner: root
group: root
loop:
- 'test.key'
- 'test.crt'
- name: COPY | Add all hosts in /etc/hosts
ansible.builtin.copy:
content: |
127.0.0.1 localhost
{% for s in nginx_sites %}
{% if s.name is string %}
127.0.0.1 {{ s.name }}
{% else %}
127.0.0.1 {% for n in s.name %}{{ n }} {% endfor %}
{% endif %}
{% if s.redirect_from is defined %}
127.0.0.1 {% for rf in s.redirect_from %}{{ rf }} {% endfor %}
{% endif %}
{% endfor %}
dest: "/etc/hosts"
mode: "0644"
owner: root
group: root
unsafe_writes: true

7
molecule/_shared/requirements.yml Normal file
View File

@@ -0,0 +1,7 @@
---
roles:
- name: hanxhx.php
collections:
- community.general

0
tests/templates/custom_template.conf.j2 → molecule/_shared/templates/custom_template.conf.j2
View File

266
molecule/_shared/verify.yml Normal file
View File

@@ -0,0 +1,266 @@
---
- name: Verify
hosts: all
gather_facts: true
vars:
nginx_root: "/srv/www"
tasks:
# --------------------------------
# Deploy index files
# --------------------------------
- name: -- Add PHP file --
ansible.builtin.copy:
dest: "{{ nginx_root }}/{{ item }}/public/index.php"
content: "<?php phpinfo();"
mode: "0644"
owner: root
group: root
loop:
- 'test-php.local'
- 'test-php-index.local'
- 'test-php-index2.local'
- name: -- Add Directories --
ansible.builtin.file:
path: "{{ item }}"
state: directory
mode: "0755"
loop:
- "{{ nginx_root }}/test-htpasswd.local/public/hello"
- "/tmp/custom-template"
- name: -- Add HTML file --
ansible.builtin.copy:
dest: "{{ item }}/index.html"
content: "Index HTML test OK\n"
mode: "0644"
owner: root
group: root
loop:
- '{{ nginx_root }}/first-test/public'
- '/var/tmp'
- '{{ nginx_root }}/test-htpasswd-all.local/public'
- '{{ nginx_root }}/test-ssl.local/public'
- '{{ nginx_root }}/test-ssl-selfsigned.local/public'
- '{{ nginx_root }}/test-ssl-predeployed.local/public'
- '{{ nginx_root }}/test-ssl-proxy-protocol.local/public'
- name: -- Create directory --
ansible.builtin.file:
path: "{{ nginx_root }}/test-htpasswd.local/public/hello"
state: directory
mode: "0755"
owner: root
group: root
- name: -- Add HTML file hello --
ansible.builtin.copy:
dest: "{{ nginx_root }}/test-htpasswd.local/public/hello/index.html"
content: "hello\n"
mode: "0644"
owner: root
group: root
# --------------------------------
# Test custom facts
# --------------------------------
- name: -- CHECK FACTS --
ansible.builtin.assert:
that: "ansible_local.nginx.fact_nginx_sites[0].name[0] == 'test.local'"
# --------------------------------
# Simple sites tests
# --------------------------------
- name: -- VERIFY SITES --
ansible.builtin.uri:
url: "http://{{ item | nginx_site_name }}{% if item.listen is defined %}:{{ item.listen[0] }}{% endif %}/"
status_code: '200,301,302,401,403'
follow_redirects: none
loop: "{{ nginx_sites }}"
when: item.state is undefined or item.state != "absent"
changed_when: false
- name: -- VERIFY FORBIDDEN --
ansible.builtin.uri:
url: "http://test-php-index.local/phpinfo.php"
status_code: 403
- name: -- VERIFY REDIRECT SITES --
ansible.builtin.uri:
url: "http://{{ item.redirect_from[0] }}/"
status_code: 301
follow_redirects: none
loop: "{{ nginx_sites }}"
when: item.redirect_from is defined and (item.state is undefined or item.state != "absent") and (item.proto is not defined or 'https' not in item.proto)
changed_when: false
- name: -- VERIFY REDIRECT HTTPS SITES --
ansible.builtin.uri:
url: "https://{{ item.redirect_from[0] }}:{{ item.listen_ssl[0] | default(443) }}/"
status_code: 301
follow_redirects: none
validate_certs: false
loop: "{{ nginx_sites }}"
when: item.redirect_from is defined and (item.state is undefined or item.state != "absent") and item.proto is defined and 'https' in item.proto
changed_when: false
# --------------------------------
# PHP
# --------------------------------
- name: -- VERIFY PHP SITES --
ansible.builtin.uri:
url: "http://{{ item.name }}/"
return_content: true
register: p
loop: "{{ nginx_sites }}"
when: >
item.template is defined and
(item.template == '_php' or item.template == '_php_index' or item.template == '_php_index2')
failed_when: p.content.find('PHP Version') == -1
- name: -- VERIFY INDEX2 --
ansible.builtin.uri:
url: "http://test-php-index2.local/lorem.php?ipsum=sit&dolor=amet"
return_content: true
register: p2
failed_when: p2.content.find('PHP Version') == -1
# --------------------------------
# Basic Auth
# --------------------------------
- name: -- VERIFY AUTH BASIC NONE --
ansible.builtin.uri:
url: "http://test-htpasswd.local/hello/"
status_code: 401
- name: -- VERIFY AUTH BASIC FAIL --
ansible.builtin.uri:
url: "http://test-htpasswd.local/hello/"
status_code: 401
user: "fail"
password: "fail"
force_basic_auth: true
- name: -- VERIFY AUTH BASIC OK --
ansible.builtin.uri:
url: "http://test-htpasswd.local/hello/"
user: "hanx"
password: "qwerty"
force_basic_auth: true
- name: -- VERIFY AUTH BASIC FAIL GLOBAL --
ansible.builtin.uri:
url: "http://test-htpasswd-all.local/"
status_code: 401
user: "fail"
password: "fail"
force_basic_auth: true
- name: -- VERIFY AUTH BASIC OK GLOBAL --
ansible.builtin.uri:
url: "http://test-htpasswd-all.local/"
user: "hanx"
password: "qwerty"
force_basic_auth: true
# --------------------------------
# SSL
# --------------------------------
- name: -- VERIFY SSL --
ansible.builtin.uri:
url: "https://{{ item }}/"
return_content: true
validate_certs: false
register: sslok
failed_when: sslok.content.find('Index HTML test OK') == -1
loop:
- 'test-ssl-predeployed.local'
- 'test-ssl-selfsigned.local'
- 'test-ssl.local'
- name: -- VERIFY SSL REDIRECT --
ansible.builtin.uri:
url: "http://{{ item.name }}/"
validate_certs: false
status_code: 301
return_content: true
follow_redirects: none
register: sslredirok
failed_when: '"https://%s%s" % (item.name, ":" + item.port if item.port is defined else "") not in sslredirok.location'
loop:
- name: 'test-ssl-redirect.local'
- name: 'test-ssl-redirect-many.local'
port: '8443'
- name: 'test-ssl-redirect-many2.local'
port: '8443'
# --------------------------------
# Default sites
# --------------------------------
- name: -- VERIFY DEFAULT SITE --
ansible.builtin.uri:
url: 'http://127.0.0.1/'
return_content: true
register: vdefault
failed_when: >
vdefault.content.find('Index HTML test OK') == -1 or
vdefault.x_ansible_default is not defined
- name: -- VERIFY DEFAULT SITE + STUB STATUS--
ansible.builtin.uri:
url: 'http://127.0.0.1/status'
return_content: true
register: vdefault_status
failed_when: >
vdefault_status.content.find('Active connections') == -1 or
vdefault_status.x_ansible_default is not defined
- name: -- VERIFY DEFAULT SSL SITE --
ansible.builtin.uri:
url: 'https://127.0.0.1/'
return_content: true
validate_certs: false
register: vdefault
failed_when: >
vdefault.content.find('Index HTML test OK') == -1 or
vdefault.x_ansible_default is not defined
- name: -- VERIFY NOT DEFAULT SITE --
ansible.builtin.uri:
url: 'http://test-php.local/'
return_content: true
register: vphp
failed_when: vphp.x_ansible_default is defined
- name: -- VERIFY NOT DEFAULT SSL SITE --
ansible.builtin.uri:
url: 'https://test-ssl.local/'
return_content: true
validate_certs: false
register: notdefaultssl
failed_when: notdefaultssl.x_ansible_default is defined
# --------------------------------
# Check Proxy protocol
# --------------------------------
- name: SHELL | Check HTTP proxy protocol
ansible.builtin.shell: set -o pipefail && curl -I --haproxy-protocol http://test-ssl-proxy-protocol.local:20080 | grep -qi 'X-Proxy-Protocol'
args:
executable: /bin/bash
changed_when: false
- name: SHELL | Check HTTPS proxy protocol
ansible.builtin.shell: set -o pipefail && curl -I --haproxy-protocol -k https://test-ssl-proxy-protocol.local:20443 | grep -qi 'X-Proxy-Protocol'
args:
executable: /bin/bash
changed_when: false
# --------------------------------
# Check HTTP2
# --------------------------------
- name: SHELL | Check HTTP2
ansible.builtin.shell: set -o pipefail && nghttp -nv https://localhost 2> /dev/null | grep -q h2
args:
executable: /bin/bash
changed_when: false

13
molecule/debian-11/molecule.yml Normal file
View File

@@ -0,0 +1,13 @@
---
platforms:
- name: debian-11
image: dokken/debian-11
command: /lib/systemd/systemd
dockerfile: ../_shared/Dockerfile.j2
capabilities:
- SYS_ADMIN
cgroupns_mode: host
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:rw
privileged: true

13
molecule/debian-12/molecule.yml Normal file
View File

@@ -0,0 +1,13 @@
---
platforms:
- name: debian-13
image: dokken/debian-13
command: /lib/systemd/systemd
dockerfile: ../_shared/Dockerfile.j2
capabilities:
- SYS_ADMIN
cgroupns_mode: host
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:rw
privileged: true

13
molecule/debian-13/molecule.yml Normal file
View File

@@ -0,0 +1,13 @@
---
platforms:
- name: debian-12
image: dokken/debian-13
command: /lib/systemd/systemd
dockerfile: ../_shared/Dockerfile.j2
capabilities:
- SYS_ADMIN
cgroupns_mode: host
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:rw
privileged: true

0
molecule/default/.gitkeep Normal file
View File

20
molecule/ubuntu-20.04/molecule.yml Normal file
View File

@@ -0,0 +1,20 @@
---
platforms:
- name: ubuntu-20.04
image: dokken/ubuntu-20.04
command: /lib/systemd/systemd
dockerfile: ../_shared/Dockerfile.j2
capabilities:
- SYS_ADMIN
cgroupns_mode: host
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:rw
privileged: true
# Segfault on Ubuntu 20.04 with `nginx-extras` package...
provisioner:
inventory:
host_vars:
ubuntu-20.04:
nginx_apt_package: 'nginx-full'

13
molecule/ubuntu-22.04/molecule.yml Normal file
View File

@@ -0,0 +1,13 @@
---
platforms:
- name: ubuntu-22.04
image: dokken/ubuntu-22.04
command: /lib/systemd/systemd
dockerfile: ../_shared/Dockerfile.j2
capabilities:
- SYS_ADMIN
cgroupns_mode: host
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:rw
privileged: true

13
molecule/ubuntu-24.04/molecule.yml Normal file
View File

@@ -0,0 +1,13 @@
---
platforms:
- name: ubuntu-24.04
image: dokken/ubuntu-24.04
command: /lib/systemd/systemd
dockerfile: ../_shared/Dockerfile.j2
capabilities:
- SYS_ADMIN
cgroupns_mode: host
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:rw
privileged: true

4
requirements.yml Normal file
View File

@@ -0,0 +1,4 @@
---
collections:
- community.general

18
tasks/config.yml
View File

@@ -4,29 +4,29 @@
ansible.builtin.template:
src: "etc/nginx/nginx.conf.j2"
dest: "{{ nginx_etc_dir }}/nginx.conf"
mode: 0644
mode: "0644"
owner: root
group: root
notify: reload nginx
notify: Reload nginx
- name: TEMPLATE | Deploy all helpers
ansible.builtin.template:
src: "{{ item }}"
dest: "{{ nginx_helper_dir }}/{{ item | basename | regex_replace('.j2$','') }}"
mode: 0644
dest: "{{ nginx_helper_dir }}/{{ item | basename | regex_replace('.j2$', '') }}"
mode: "0644"
owner: root
group: root
with_fileglob: '../templates/etc/nginx/helper/*.j2'
notify: reload nginx
notify: Reload nginx
- name: TEMPLATE | Deploy custom http configuration
ansible.builtin.template:
src: "etc/nginx/conf.d/custom.conf.j2"
dest: "{{ nginx_etc_dir }}/conf.d/custom.conf"
mode: 0644
mode: "0644"
owner: root
group: root
notify: reload nginx
notify: Reload nginx
- name: LINEINFILE | Fix path
ansible.builtin.lineinfile:
@@ -51,7 +51,7 @@
load_module {{ m }};
{% endfor %}
dest: "{{ nginx_etc_dir }}/modules-enabled/000-modules.conf"
mode: 0644
mode: "0644"
owner: root
group: root
notify: reload nginx
notify: Reload nginx

2
tasks/htpasswd.yml
View File

@@ -13,7 +13,7 @@
name: "{{ item.1.name }}"
password: "{{ item.1.password }}"
path: "{{ nginx_htpasswd_dir }}/{{ item.0.name }}"
mode: 0644
mode: "0644"
owner: root
group: root
loop: "{{ nginx_htpasswd | subelements('users') }}"

2
tasks/install/Debian.yml
View File

@@ -14,7 +14,7 @@
- name: APT | Install nginx and dependencies
ansible.builtin.apt:
pkg: "{{ nginx_apt_package }}"
default_release: "{{ ansible_distribution_release + '-backports' if nginx_backports else ansible_distribution_release }}"
default_release: "{{ ansible_distribution_release + '-backports' if (nginx_backports and ansible_distribution == 'Debian') else ansible_distribution_release }}"
- name: APT | Install nginx modules
ansible.builtin.apt:

62
tasks/install/FreeBSD.yml
View File

@@ -1,62 +0,0 @@
---
- name: PKGNG | Install nginx and related tools
pkgng:
name: "{{ item }}"
state: present
loop:
- acme.sh
- "{{ nginx_pkgng_package }}"
- py27-passlib
- curl
#
# Bypass https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=224166#c1
#
- block:
- name: COMMAND | Create /usr/local/etc/fdfs/http.conf
ansible.builtin.command: touch /usr/local/etc/fdfs/http.conf
args:
creates: /usr/local/etc/fdfs/http.conf
register: fd1
- name: LINEINFILE | Tune fdfs
ansible.builtin.lineinansible.builtin.file:
regexp: ^load_fdfs_parameters_from_tracker
line: load_fdfs_parameters_from_tracker=false
path: /usr/local/etc/fdfs/mod_fastdfs.conf
register: fd2
- name: SERVICE | Restart nginx when fdfs is tuned
ansible.builtin.service:
name: nginx
state: restarted
when: fd1.changed or fd2.changed
when: true
- name: FILE | Create configuration dir (like Debian)
ansible.builtin.file:
path: "{{ nginx_etc_dir }}/{{ item }}"
state: directory
mode: 0755
owner: root
group: root
loop:
- conf.d
- sites-available
- sites-enabled
- name: FILE | Create log directory
ansible.builtin.file:
path: "{{ nginx_log_dir }}"
owner: "{{ nginx_user }}"
group: wheel
mode: 0755
state: directory
- name: SERVICE | Enable nginx
ansible.builtin.service:
name: nginx
enabled: true

7
tasks/install/acme.yml
View File

@@ -5,7 +5,9 @@
path: "{{ nginx_acmesh_dir }}"
register: acme
- block:
- name: Install acme.sh if needed
when: not acme.stat.exists
block:
- name: APT | Install git
ansible.builtin.apt:
@@ -26,8 +28,7 @@
- name: COMMAND | Force acme.sh to use letsencrypt (instead of zerossl)
ansible.builtin.command: '{{ nginx_acmesh_dir }}/acme.sh --set-default-ca --server letsencrypt --home "{{ nginx_acmesh_dir }}"'
when: not acme.stat.exists
changed_when: true
- name: FILE | Remove temp acme.sh dir
ansible.builtin.file:

2
tasks/install/main.yml
View File

@@ -1,7 +1,7 @@
---
- name: INCLUDE_TASKS | Install
ansible.builtin.include_tasks: "{{ ansible_distribution }}.yml"
ansible.builtin.include_tasks: "{{ ansible_os_family }}.yml"
- name: IMPORT_TASKS | acme
ansible.builtin.import_tasks: "acme.yml"

2
tasks/main.yml
View File

@@ -1,7 +1,7 @@
---
- name: INCLUDE_VARS | Related to OS
ansible.builtin.include_vars: "{{ ansible_distribution }}.yml"
ansible.builtin.include_vars: "{{ ansible_os_family }}.yml"
tags: ['nginx::site', 'nginx::ssl']
- name: INCLUDE_TASKS | Install

2
tasks/prepare.yml
View File

@@ -42,6 +42,6 @@
ansible.builtin.file:
path: /etc/ansible/facts.d
state: directory
mode: 0755
mode: "0755"
owner: root
group: root

24
tasks/site.yml
View File

@@ -22,7 +22,7 @@
ansible.builtin.file:
path: "{{ nginx_root }}"
state: directory
mode: 0755
mode: "0755"
owner: root
group: root
@@ -46,10 +46,10 @@
ansible.builtin.template:
src: "etc/nginx/sites-available/{{ item.template if item.redirect_to is not defined else '_redirect' }}.j2"
dest: "{{ nginx_etc_dir }}/sites-available/{{ item | nginx_site_filename }}"
mode: 0644
mode: "0644"
owner: root
group: root
notify: ['reload nginx', 'restart nginx freebsd']
notify: 'Reload nginx'
when: (item.state is not defined or item.state != 'absent') and item.custom_template is not defined
loop: "{{ nginx_sites }}"
loop_control:
@@ -59,10 +59,10 @@
ansible.builtin.template:
src: "{{ item.custom_template }}"
dest: "{{ nginx_etc_dir }}/sites-available/{{ item | nginx_site_filename }}"
mode: 0644
mode: "0644"
owner: root
group: root
notify: ['reload nginx', 'restart nginx freebsd']
notify: 'Reload nginx'
when: (item.state is not defined or item.state != 'absent') and item.custom_template is defined
loop: "{{ nginx_sites }}"
loop_control:
@@ -73,7 +73,7 @@
path: "{{ nginx_etc_dir }}/{{ item.1 }}/{{ item.0 | nginx_site_filename }}"
state: absent
loop: "{{ nginx_sites | product(dirs) | list }}"
notify: ['reload nginx', 'restart nginx freebsd']
notify: 'Reload nginx'
when: item.0.state is defined and item.0.state == 'absent'
vars:
dirs: ['sites-available', 'sites-enabled']
@@ -86,7 +86,7 @@
dest: "{{ nginx_etc_dir }}/sites-enabled/{{ item | nginx_site_filename }}"
state: link
loop: "{{ nginx_sites }}"
notify: ['reload nginx', 'restart nginx freebsd']
notify: 'Reload nginx'
when: >
item.state is not defined or item.state == 'present'
loop_control:
@@ -97,7 +97,7 @@
path: "{{ nginx_etc_dir }}/sites-enabled/{{ item | nginx_site_filename }}"
state: absent
loop: "{{ nginx_sites }}"
notify: ['reload nginx', 'restart nginx freebsd']
notify: 'Reload nginx'
when: item.state is defined and item.state == 'disabled'
loop_control:
label: "{{ item | nginx_site_name }}"
@@ -106,7 +106,7 @@
ansible.builtin.file:
path: "{{ nginx_etc_dir }}/sites-enabled/default"
state: absent
notify: ['reload nginx', 'restart nginx freebsd']
notify: 'Reload nginx'
when: nginx_default_site is not none
- name: FILE | Auto set default site
@@ -114,12 +114,12 @@
src: "{{ nginx_etc_dir }}/sites-available/default"
dest: "{{ nginx_etc_dir }}/sites-enabled/default"
state: link
notify: ['reload nginx', 'restart nginx freebsd']
notify: 'Reload nginx'
when: nginx_default_site is none
- name: TEMPLATE | Deploy facts
ansible.builtin.template:
src: etc/ansible/facts.d/nginx.fact.j2
dest: /etc/ansible/facts.d/nginx.fact
mode: 0644
notify: ['setup']
mode: "0644"
notify: ['Setup']

34
tasks/ssl/acme.yml
View File

@@ -13,7 +13,7 @@
- name: SET_FACT | Assign var with certificates to create
ansible.builtin.set_fact:
acme_create: "{{ acme_create | default([]) + [ (item.item) ] }}"
acme_create: "{{ acme_create | default([]) + [item.item] }}"
loop: "{{ acme_installed_certs.results }}"
when: item.skipped is not defined and (not item.stat.exists or item.stat.size == 0)
@@ -24,30 +24,32 @@
ansible.builtin.template:
src: "etc/nginx/conf.d/FAKESITE.conf.j2"
dest: "{{ nginx_etc_dir }}/conf.d/FAKESITE_{{ item | nginx_site_name }}.conf"
mode: 0644
mode: "0644"
owner: root
group: root
loop: "{{ acme_create }}"
register: fake_site
notify: Restart nginx
- name: FILE | Delete current site if needed
- name: TEMPLATE | Create fake site
ansible.builtin.template:
src: "etc/nginx/conf.d/FAKESITE.conf.j2"
dest: "/tmp/FAKESITE_{{ item | nginx_site_name }}.conf"
mode: "0644"
owner: root
group: root
loop: "{{ acme_create }}"
- name: FILE | Delete current site if needed # noqa: no-handler
ansible.builtin.file:
path: "{{ nginx_etc_dir }}/sites-enabled/{{ item | nginx_site_name }}"
state: absent
loop: "{{ acme_create }}"
when: fake_site.changed
notify: Restart nginx
- name: SERVICE | Restart nginx
ansible.builtin.service:
name: nginx
state: restarted
when: fake_site.changed and ansible_virtualization_type != 'docker'
- name: COMMAND | Restart nginx
ansible.builtin.command: service nginx restart
args:
warn: false
when: fake_site.changed and ansible_virtualization_type == 'docker'
- name: META | Ensure nginx is restarted if needed
ansible.builtin.meta: flush_handlers
- name: COMMAND | Get certificates
ansible.builtin.command: |
@@ -80,7 +82,7 @@
creates: "{{ item | nginx_cert_path(nginx_ssl_dir) }}"
loop: "{{ nginx_ssl_pairs }}"
when: item.acme is defined and item.acme
notify: restart nginx
notify: Restart nginx
rescue:
@@ -95,7 +97,7 @@
path: "{{ nginx_etc_dir }}/conf.d/FAKESITE_{{ item | nginx_site_name }}.conf"
state: absent
loop: "{{ acme_create }}"
notify: restart nginx
notify: Restart nginx
- name: META | Flush handlers
ansible.builtin.meta: flush_handlers

4
tasks/ssl/main.yml
View File

@@ -1,8 +1,8 @@
---
- name: IMPORT_TASKS | standard.yml
import_tasks: standard.yml
ansible.builtin.import_tasks: standard.yml
- name: IMPORT_TASKS | acme.yml
import_tasks: acme.yml
ansible.builtin.import_tasks: acme.yml
when: nginx_acmesh

58
tasks/ssl/standard.yml
View File

@@ -1,25 +1,29 @@
---
- block:
- name: STAT | Get info about DH file
ansible.builtin.stat:
path: "{{ nginx_dh_path }}"
get_checksum: false
register: stat_dh_file
- name: SHELL | Get info about DH file
ansible.builtin.shell: openssl dhparam -in {{ nginx_dh_path }} -text -noout 2>&1 | awk '/DH Parameters/ { print substr($3, 2) }'
changed_when: false
register: dh_info
when: stat_dh_file.stat.exists
- name: COMMAND | Generate DH file
ansible.builtin.command: openssl dhparam -out {{ nginx_dh_path }} {{ nginx_dh_length }}
when: not stat_dh_file.stat.exists or (dh_info.stdout | int != nginx_dh_length | int)
notify: restart nginx
- name: Generate DH if needed
when: nginx_dh is not string
block:
- name: STAT | Get info about DH file
ansible.builtin.stat:
path: "{{ nginx_dh_path }}"
get_checksum: false
register: stat_dh_file
- name: SHELL | Get info about DH file
ansible.builtin.shell: |
set -o pipefail &&
openssl dhparam -in {{ nginx_dh_path }} -text -noout 2>&1 | awk '/DH Parameters/ { print substr($3, 2) }'
args:
executable: /bin/bash
changed_when: false
register: dh_info
when: stat_dh_file.stat.exists
- name: COMMAND | Generate DH file # noqa: no-changed-when
ansible.builtin.command: openssl dhparam -out {{ nginx_dh_path }} {{ nginx_dh_length }}
when: not stat_dh_file.stat.exists or (dh_info.stdout | int != nginx_dh_length | int)
notify: Restart nginx
- name: COPY | Deploy DH file from vars
ansible.builtin.copy:
@@ -27,9 +31,9 @@
dest: "{{ nginx_dh_path }}"
owner: root
group: root
mode: 0640
mode: "0640"
when: nginx_dh is string
notify: restart nginx
notify: Restart nginx
- name: FILE | Create SSL directories
ansible.builtin.file:
@@ -37,7 +41,7 @@
state: directory
owner: root
group: root
mode: 0750
mode: "0750"
loop: "{{ nginx_ssl_pairs }}"
when: item.dest_key is not defined or item.dest_cert is not defined
no_log: "{{ not nginx_debug_role }}"
@@ -48,10 +52,10 @@
dest: "{{ item | nginx_key_path(nginx_ssl_dir) }}"
owner: root
group: root
mode: 0640
mode: "0640"
loop: "{{ nginx_ssl_pairs }}"
when: item.key is defined
notify: restart nginx
notify: Restart nginx
no_log: "{{ not nginx_debug_role }}"
- name: COPY | Deploy SSL certs
@@ -60,10 +64,10 @@
dest: "{{ item | nginx_cert_path(nginx_ssl_dir) }}"
owner: root
group: root
mode: 0644
mode: "0644"
loop: "{{ nginx_ssl_pairs }}"
when: item.cert is defined
notify: restart nginx
notify: Restart nginx
no_log: "{{ not nginx_debug_role }}"
- name: COMMAND | Create self-signed certificates
@@ -78,5 +82,5 @@
creates: "{{ '/tmp/dummy' if item.force is defined and item.force else item | nginx_cert_path(nginx_ssl_dir) }}"
loop: "{{ nginx_ssl_pairs }}"
when: item.self_signed is defined
notify: restart nginx
notify: Restart nginx
no_log: "{{ not nginx_debug_role }}"

10
tasks/upstream.yml
View File

@@ -4,21 +4,21 @@
ansible.builtin.template:
src: "etc/nginx/conf.d/php.conf.j2"
dest: "{{ nginx_etc_dir }}/conf.d/php.conf"
mode: 0644
mode: "0644"
owner: root
group: root
notify: reload nginx
notify: Reload nginx
- name: TEMPLATE | Deploy other upstreams
ansible.builtin.template:
src: "etc/nginx/conf.d/_upstream.conf.j2"
dest: "{{ nginx_etc_dir }}/conf.d/upstream-{{ item.name }}.conf"
mode: 0644
mode: "0644"
owner: root
group: root
loop: "{{ nginx_upstreams }}"
when: item.state is not defined or item.state == 'present'
notify: reload nginx
notify: Reload nginx
- name: FILE | Delete other upstreams
ansible.builtin.file:
@@ -26,4 +26,4 @@
state: absent
loop: "{{ nginx_upstreams }}"
when: item.state is defined and item.state == 'absent'
notify: reload nginx
notify: Reload nginx

25
templates/etc/nginx/helper/ssl-legacy.j2
View File

@@ -1,16 +1,23 @@
#
# {{ ansible_managed }}
#
# See: https://ssl-config.mozilla.org/#server=nginx&version=1.18.0&config=intermediate&openssl=1.1.1n&hsts=false&guideline=5.7
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_protocols TLSv1.1 TLSv1.2{% if nginx_version.stdout is version('1.13.0', 'ge') %} TLSv1.3{% endif %};
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver {{ nginx_resolver_hosts | join(' ') }} valid={{ nginx_resolver_valid }};
resolver_timeout {{ nginx_resolver_timeout }};
ssl_dhparam {{ nginx_dh_path }};
# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# Replace with the IP address of your resolver
resolver {{ nginx_resolver_hosts | join(' ') }} valid={{ nginx_resolver_valid }};
# vim:filetype=nginx

19
templates/etc/nginx/helper/ssl-strong.j2
View File

@@ -1,18 +1,21 @@
#
# {{ ansible_managed }}
#
# See: https://ssl-config.mozilla.org/#server=nginx&version=1.18.0&config=modern&openssl=1.1.1n&hsts=false&guideline=5.7
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384";
ssl_protocols TLSv1.2{% if nginx_version.stdout is version('1.13.0', 'ge') %} TLSv1.3{% endif %};
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# modern configuration
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# Replace with the IP address of your resolver
resolver {{ nginx_resolver_hosts | join(' ') }} valid={{ nginx_resolver_valid }};
resolver_timeout {{ nginx_resolver_timeout }};
ssl_dhparam {{ nginx_dh_path }};
# vim:filetype=nginx

3
templates/etc/nginx/nginx.conf.j2
View File

@@ -5,6 +5,9 @@
user {{ nginx_user }};
worker_processes {{ nginx_worker_processes }};
pid {{ nginx_pid }};
{% for i in nginx_custom_core %}
{{ i }}
{% endfor %}
include {{ nginx_etc_dir }}/modules-enabled/*.conf;
events {

1
tests/includes/post_Debian.yml
View File

@@ -1 +0,0 @@
---

1
tests/includes/post_FreeBSD.yml
View File

@@ -1 +0,0 @@
---

265
tests/includes/post_common.yml
View File

@@ -1,265 +0,0 @@
---
# --------------------------------
# Deploy index files
# --------------------------------
- name: -- Add PHP file --
ansible.builtin.copy:
dest: "{{ nginx_root }}/{{ item }}/public/index.php"
content: "<?php phpinfo();"
mode: 0644
owner: root
group: root
loop:
- 'test-php.local'
- 'test-php-index.local'
- 'test-php-index2.local'
- name: -- Add Directories --
ansible.builtin.file:
path: "{{ item }}"
state: directory
mode: 0755
loop:
- "{{ nginx_root }}/test-htpasswd.local/public/hello"
- "/tmp/custom-template"
- name: -- Add HTML file --
ansible.builtin.copy:
dest: "{{ item }}/index.html"
content: "Index HTML test OK\n"
mode: 0644
owner: root
group: root
loop:
- '{{ nginx_root }}/first-test/public'
- '/var/tmp'
- '{{ nginx_root }}/test-htpasswd-all.local/public'
- '{{ nginx_root }}/test-ssl.local/public'
- '{{ nginx_root }}/test-ssl-selfsigned.local/public'
- '{{ nginx_root }}/test-ssl-predeployed.local/public'
- '{{ nginx_root }}/test-ssl-proxy-protocol.local/public'
- '{{ nginx_root }}/{{ ngrok.stdout }}/public'
- name: -- Create directory --
ansible.builtin.file:
path: "{{ nginx_root }}/test-htpasswd.local/public/hello"
state: directory
mode: 0755
owner: root
group: root
- name: -- Add HTML file hello --
ansible.builtin.copy:
dest: "{{ nginx_root }}/test-htpasswd.local/public/hello/index.html"
content: "hello\n"
mode: 0644
owner: root
group: root
# --------------------------------
# Test custom facts
# --------------------------------
- name: -- CHECK FACTS --
ansible.builtin.assert:
that: "'{{ ansible_local.nginx.fact_nginx_sites[0].name[0] }}' == 'test.local'"
# --------------------------------
# Simple sites tests
# --------------------------------
- name: -- VERIFY SITES --
ansible.builtin.uri:
url: "http://{{ item | nginx_site_name }}{% if item.listen is defined %}:{{ item.listen[0] }}{% endif %}/"
status_code: '200,301,302,401,403'
follow_redirects: none
loop: "{{ nginx_sites }}"
when: item.state is undefined or item.state != "absent"
changed_when: false
- name: -- VERIFY FORBIDDEN --
ansible.builtin.uri:
url: "http://test-php-index.local/phpinfo.php"
status_code: 403
- name: -- VERIFY REDIRECT SITES --
ansible.builtin.uri:
url: "http://{{ item.redirect_from[0] }}/"
status_code: 301
follow_redirects: none
loop: "{{ nginx_sites }}"
when: item.redirect_from is defined and (item.state is undefined or item.state != "absent") and (item.proto is not defined or 'https' not in item.proto)
changed_when: false
- name: -- VERIFY REDIRECT HTTPS SITES --
ansible.builtin.uri:
url: "https://{{ item.redirect_from[0] }}:{{ item.listen_ssl[0] | default(443) }}/"
status_code: 301
follow_redirects: none
validate_certs: false
loop: "{{ nginx_sites }}"
when: item.redirect_from is defined and (item.state is undefined or item.state != "absent") and item.proto is defined and 'https' in item.proto
changed_when: false
# --------------------------------
# PHP
# --------------------------------
- name: -- VERIFY PHP SITES --
ansible.builtin.uri:
url: "http://{{ item.name }}/"
return_content: true
register: p
loop: "{{ nginx_sites }}"
when: >
item.template is defined and
(item.template == '_php' or item.template == '_php_index' or item.template == '_php_index2')
failed_when: p.content.find('PHP Version') == -1
- name: -- VERIFY INDEX2 --
ansible.builtin.uri:
url: "http://test-php-index2.local/lorem.php?ipsum=sit&dolor=amet"
return_content: true
register: p2
failed_when: p2.content.find('PHP Version') == -1
# --------------------------------
# Basic Auth
# --------------------------------
- name: -- VERIFY AUTH BASIC NONE --
ansible.builtin.uri:
url: "http://test-htpasswd.local/hello/"
status_code: 401
- name: -- VERIFY AUTH BASIC FAIL --
ansible.builtin.uri:
url: "http://test-htpasswd.local/hello/"
status_code: 401
user: "fail"
password: "fail"
force_basic_auth: true
- name: -- VERIFY AUTH BASIC OK --
ansible.builtin.uri:
url: "http://test-htpasswd.local/hello/"
user: "hanx"
password: "qwerty"
force_basic_auth: true
- name: -- VERIFY AUTH BASIC FAIL GLOBAL --
ansible.builtin.uri:
url: "http://test-htpasswd-all.local/"
status_code: 401
user: "fail"
password: "fail"
force_basic_auth: true
- name: -- VERIFY AUTH BASIC OK GLOBAL --
ansible.builtin.uri:
url: "http://test-htpasswd-all.local/"
user: "hanx"
password: "qwerty"
force_basic_auth: true
# --------------------------------
# SSL
# --------------------------------
- name: -- VERIFY SSL --
ansible.builtin.uri:
url: "https://{{ item }}/"
return_content: true
validate_certs: false
register: sslok
failed_when: sslok.content.find('Index HTML test OK') == -1
loop:
- 'test-ssl-predeployed.local'
- 'test-ssl-selfsigned.local'
- 'test-ssl.local'
- '{{ ngrok.stdout }}'
- name: -- VERIFY SSL REDIRECT --
ansible.builtin.uri:
url: "http://{{ item.name }}/"
validate_certs: false
status_code: 301
return_content: true
follow_redirects: none
register: sslredirok
failed_when: '"https://%s%s" % (item.name, ":" + item.port if item.port is defined else "") not in sslredirok.location'
loop:
- name: 'test-ssl-redirect.local'
- name: 'test-ssl-redirect-many.local'
port: '8443'
- name: 'test-ssl-redirect-many2.local'
port: '8443'
# --------------------------------
# Default sites
# --------------------------------
- name: -- VERIFY DEFAULT SITE --
ansible.builtin.uri:
url: 'http://127.0.0.1/'
return_content: true
register: vdefault
failed_when: >
vdefault.content.find('Index HTML test OK') == -1 or
vdefault.x_ansible_default is not defined
- name: -- VERIFY DEFAULT SITE + STUB STATUS--
ansible.builtin.uri:
url: 'http://127.0.0.1/status'
return_content: true
register: vdefault_status
failed_when: >
vdefault_status.content.find('Active connections') == -1 or
vdefault_status.x_ansible_default is not defined
- name: -- VERIFY DEFAULT SSL SITE --
ansible.builtin.uri:
url: 'https://127.0.0.1/'
return_content: true
validate_certs: false
register: vdefault
failed_when: >
vdefault.content.find('Index HTML test OK') == -1 or
vdefault.x_ansible_default is not defined
- name: -- VERIFY NOT DEFAULT SITE --
ansible.builtin.uri:
url: 'http://test-php.local/'
return_content: true
register: vphp
failed_when: vphp.x_ansible_default is defined
- name: -- VERIFY NOT DEFAULT SSL SITE --
ansible.builtin.uri:
url: 'https://test-ssl.local/'
return_content: true
validate_certs: false
register: notdefaultssl
failed_when: notdefaultssl.x_ansible_default is defined
# --------------------------------
# Check Proxy protocol
# --------------------------------
- name: SHELL | Check HTTP proxy protocol
ansible.builtin.shell: set -o pipefail && curl -I --haproxy-protocol http://test-ssl-proxy-protocol.local:20080 | grep -qi 'X-Proxy-Protocol'
args:
executable: /bin/bash
warn: false
changed_when: false
- name: SHELL | Check HTTPS proxy protocol
ansible.builtin.shell: set -o pipefail && curl -I --haproxy-protocol -k https://test-ssl-proxy-protocol.local:20443 | grep -qi 'X-Proxy-Protocol'
args:
executable: /bin/bash
warn: false
changed_when: false
# --------------------------------
# Check HTTP2
# --------------------------------
- name: SHELL | Check HTTP2
ansible.builtin.shell: set -o pipefail && nghttp -nv https://localhost 2> /dev/null | grep -q h2
args:
executable: /bin/bash
changed_when: false
when: nginx_auto_config_httpv2 and 'http_v2' in nginx_modules

83
tests/includes/pre_Debian.yml
View File

@@ -1,83 +0,0 @@
---
- name: APT_REPOSITORY | Install backports
apt_repository:
repo: 'deb http://httpredir.debian.org/debian {{ ansible_distribution_release }}-backports main'
state: present
when: nginx_backports
- name: APT | Install needed packages
apt:
pkg: "{{ packages }}"
update_cache: true
cache_valid_time: 3600
state: present
vars:
packages:
- cron
- curl
- daemonize
- jq
- nghttp2
- strace
- vim
- unzip
- name: APT | Install PHP
apt:
pkg: "{{ pkgs }}"
update_cache: true
cache_valid_time: 3600
state: present
vars:
pkgs:
- php-cli
- php-fpm
- name: SHELL | Get current PHP version
shell: php --version | awk '/^PHP/ { print $2 }' | grep -o -E '^.{3}'
changed_when: false
register: cur_php_version
# Bypasses Ansible+Docker issue. With service module... php is not really started!
- name: COMMAND | Force start PHP
command: "service php{{ cur_php_version.stdout }}-fpm start"
args:
creates: "/run/php/php{{ cur_php_version.stdout }}-fpm.pid"
warn: false
- name: GET_URL | Download ngrok
get_url:
url: "https://bin.equinox.io/c/4VmDzA7iaHb/ngrok-stable-linux-amd64.zip"
dest: "/tmp/ngrok.zip"
- name: UNARCHIVE | Uncompress ngrok
unarchive:
src: "/tmp/ngrok.zip"
dest: "/tmp"
remote_src: true
- name: SET_FACT | ngrok_path
set_fact:
ngrok_path: '/tmp/ngrok'
- name: USER | Create PHP User foo
user:
name: foo
system: true
- name: INCLUDE_ROLE | HanXHX.php
include_role:
name: "{{ playbook_dir }}/HanXHX.php"
vars:
php_version: "{{ cur_php_version.stdout }}"
php_autoremove_default_pool: false
php_fpm_poold:
- name: 'hx_unix'
user: 'foo'
php_value:
display_errors: 'Off'
php_admin_value:
memory_limit: '98M'
- name: 'hx_ip'
listen: '127.0.0.1:9636'

66
tests/includes/pre_FreeBSD.yml
View File

@@ -1,66 +0,0 @@
---
- name: SET_FACT | FreeBSD web user
set_fact:
nginx_pkgng_package: 'nginx-full'
nginx_user: 'www'
nginx_php:
- upstream_name: 'manual'
sockets:
- host: '127.0.0.1'
port: 9000
- upstream_name: 'hx_unix'
sockets:
- host: '127.0.0.1'
port: 9000
- upstream_name: 'hx_ip'
sockets:
- host: '127.0.0.1'
port: 9000
ngrok_path: '/usr/local/bin/ngrok'
- name: PKGNG | Install needed packages
pkgng:
pkg: "{{ packages }}"
state: present
vars:
packages:
- bash
- curl
- daemonize
- fcgiwrap
- jq
- nghttp2
- php74
- vim
- name: SERVICE | Force start services
service:
name: "{{ item }}"
state: started
enabled: true
register: sf
loop:
- php-fpm
- name: STAT | Check ports
stat:
path: /usr/ports
register: ports
- block:
- name: COMMAND | Get ports
command: portsnap fetch --interactive
- name: COMMAND | Extract ports
command: portsnap extract
no_log: true
when: not ports.stat.exists
- name: SHELL | Install ngrok
shell: make install clean DISABLE_LICENSES=yes
args:
chdir: /usr/ports/security/ngrok
creates: "{{ ngrok_path }}"

74
tests/includes/pre_common.yml
View File

@@ -1,74 +0,0 @@
---
- name: SHELL | Start ngrok
shell: daemonize -l /tmp/ngrok.lock {{ ngrok_path }} http 80 -bind-tls=false
failed_when: false
changed_when: ngrok.stderr.find("Can't lock the lock file") == -1
register: ngrok
- name: WAIT_FOR | ngrok started
wait_for:
delay: 2
port: 4040
when: ngrok.changed
- name: SHELL | Get ngrok public address
shell: set -o pipefail && curl 'http://127.0.0.1:4040/api/tunnels/command_line' 2> /dev/null | jq -r '.public_url' | cut -d '/' -f 3
args:
executable: /bin/bash
warn: false
register: ngrok
changed_when: false
- name: LINEINFILE | Tune vimrc
lineinfile:
line: "set mouse="
dest: "{{ item }}/.vimrc"
create: true
loop:
- /root
- /home/vagrant
- name: FILE | Create an internal SSL dir
ansible.builtin.file:
path: "{{ int_ansible_ssl_dir }}"
state: directory
mode: 0750
owner: root
group: root
- name: COPY | Deploy test certificate
ansible.builtin.copy:
src: "file/test.crt"
dest: "{{ int_ansible_ssl_dir }}/test.crt"
mode: 0640
owner: root
group: root
- name: COPY | Deploy test key
ansible.builtin.copy:
src: "file/test.key"
dest: "{{ int_ansible_ssl_dir }}/test.key"
mode: 0640
owner: root
group: root
- name: COPY | Add all hosts in /etc/hosts
ansible.builtin.copy:
content: |
127.0.0.1 localhost
{% for s in nginx_sites %}
{% if s.name is string %}
127.0.0.1 {{ s.name }}
{% else %}
127.0.0.1 {% for n in s.name %}{{ n }} {% endfor %}
{% endif %}
{% if s.redirect_from is defined %}
127.0.0.1 {% for rf in s.redirect_from %}{{ rf }} {% endfor %}
{% endif %}
{% endfor %}
dest: "/etc/hosts"
mode: 0644
owner: root
group: root
unsafe_writes: true

19
tests/test.yml
View File

@@ -1,19 +0,0 @@
---
- hosts: all
pre_tasks:
- name: INCLUDE_TASKS | Pre_tasks related to OS version
ansible.builtin.include_tasks: "includes/pre_{{ ansible_distribution }}.yml"
- name: IMPORT_TASKS | Pre_tasks common
ansible.builtin.import_tasks: "includes/pre_common.yml"
roles:
- ../../
post_tasks:
- name: INCLUDE_TASKS | Post_tasks related to OS version
ansible.builtin.include_tasks: "includes/post_{{ ansible_distribution }}.yml"
- name: IMPORT_TASKS | Post_tasks common
ansible.builtin.import_tasks: "includes/post_common.yml"

7
vars/FreeBSD.yml
View File

@@ -1,7 +0,0 @@
---
nginx_events_use: 'kqueue'
nginx_pid: '/var/run/nginx.pid'
nginx_etc_dir: '/usr/local/etc/nginx'
nginx_acmesh_bin: '/usr/local/sbin/acme.sh'