42 changed files with 209 additions and 767 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -1,43 +0,0 @@
 ---
 name: ci
 'on':
  pull_request:
  push:
    branches:
      - master
 jobs:
  yaml-lint:
    name: YAML Lint
    runs-on: ubuntu-latest
    steps:
      - name: Fetch code
        uses: actions/checkout@v3
      - name: Set up Python 3.
        uses: actions/setup-python@v2
        with:
          python-version: '3.x'
      - name: Install test dependencies.
        run: pip3 install yamllint
      - name: Lint code.
        run: |
          yamllint .
  ansible-lint:
    name: Ansible Lint
    runs-on: ubuntu-latest
    steps:
      - name: Fetch code
        uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - name: Run ansible-lint
        uses: ansible/ansible-lint-action@v6.15.0
--- a/.github/workflows/galaxy.yml
+++ b/.github/workflows/galaxy.yml
@ -1,17 +0,0 @@
 ---
 name: Deploy on Ansible Galaxy
 'on':
  - push
 jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: checkout
        uses: actions/checkout@v2
      - name: galaxy
        uses: robertdebock/galaxy-action@1.2.0
        with:
          galaxy_api_key: ${{ secrets.galaxy_api_key }}
--- a/.github/workflows/molecule.yml
+++ b/.github/workflows/molecule.yml
@ -1,43 +0,0 @@
 ---
 name: Molecule
 'on':
  pull_request:
  push:
    branches:
      - master
 jobs:
  build:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        scenario:
          - debian-10
          - debian-11
          - debian-12
          - ubuntu-22.04
        allowed-to-fail:
          - false
        include:
          - scenario: ubuntu-20.04
            allowed-to-fail: true
    steps:
      - name: Checkout
        uses: actions/checkout@v3
        with:
          path: "${{ github.repository }}"
      - name: Molecule
        uses: gofrolist/molecule-action@v2.3.19
        with:
          molecule_options: --base-config molecule/_shared/base.yml
          molecule_args: --scenario-name ${{ matrix.scenario }}
          molecule_working_dir: "HanXHX/ansible-nginx"
        continue-on-error: ${{ matrix.allowed-to-fail }}
      - name: Fake command
        run: echo "End of job"
--- a/.gitignore
+++ b/.gitignore
@ -3,4 +3,3 @@
 *.retry
 *.pyc
 /tests/hanxhx.php
 /.idea
--- a/.travis.yml
+++ b/.travis.yml
@ -0,0 +1,51 @@
 ---
 env:
  global:
    - VAGRANT_VERSION='2.2.18'
  jobs:
    - PLATFORM='docker-debian-bullseye' ANSIBLE_VERSION='>=2.11,<2.12'
    - PLATFORM='docker-debian-buster'   ANSIBLE_VERSION='>=2.11,<2.12'
 os:
  - linux
 dist: focal
 language: python
 python:
  - 3.8
 services:
  - docker
 before_install:
  - sudo apt-get -q update
  - sudo apt-get install -y yamllint
  - sudo wget -nv https://releases.hashicorp.com/vagrant/${VAGRANT_VERSION}/vagrant_${VAGRANT_VERSION}_x86_64.deb
  - sudo dpkg -i vagrant_${VAGRANT_VERSION}_x86_64.deb
 install:
  - sudo pip install "ansible-core$ANSIBLE_VERSION"
  - sudo pip install ansible-lint
  - ansible-galaxy collection install community.general
  - ansible-galaxy install -p ./tests hanxhx.php
 script:
  - VAGRANT_DEFAULT_PROVIDER=docker vagrant up $PLATFORM
  - >
    VAGRANT_DEFAULT_PROVIDER=docker vagrant provision $PLATFORM
    | grep -q 'changed=0.*failed=0'
    && (echo 'Idempotence test: pass' && exit 0)
    || (echo 'Idempotence test: fail' && exit 1)
  - VAGRANT_DEFAULT_PROVIDER=docker vagrant status
  - >
    yamllint .
    && (echo 'YAML lint test: pass' && exit 0)
    || (echo 'YAML lint test: fail' && exit 1)
  - >
    ansible-lint -v tests/test.yml
    && (echo 'Ansible lint test: pass' && exit 0)
    || (echo 'Ansible lint test: fail' && exit 1)
 notifications:
  webhooks: https://galaxy.ansible.com/api/v1/notifications/
--- a/README.md
+++ b/README.md
@ -1,7 +1,7 @@
 Nginx for Debian/FreeBSD Ansible role
 =====================================
-[![Ansible Galaxy](http://img.shields.io/badge/ansible--galaxy-HanXHX.nginx-blue.svg)](https://galaxy.ansible.com/HanXHX/nginx/) ![GitHub Workflow Status (master branch)](https://img.shields.io/github/actions/workflow/status/hanxhx/ansible-nginx/molecule.yml?branch=master)
+[![Ansible Galaxy](http://img.shields.io/badge/ansible--galaxy-HanXHX.nginx-blue.svg)](https://galaxy.ansible.com/HanXHX/nginx/) [![Build Status](https://app.travis-ci.com/HanXHX/ansible-nginx.svg?branch=master)](https://app.travis-ci.com/HanXHX/ansible-nginx)
 Install and configure Nginx on Debian/FreeBSD.
@ -21,16 +21,13 @@ Features:
 Supported OS:
 | OS                   | Working | Stable (active support) |
-|----------------------|---------|------------------------------------------------------------------------------------------------------|
+| -------------------- | ------- | ----------------------- |
 | Debian Jessie (8)    | Yes     | Check latest supported version ([1.5.0](https://github.com/HanXHX/ansible-nginx/releases/tag/1.5.0)) |
 | Debian Stretch (9)   | Yes     | Check latest supported version ([1.9.0](https://github.com/HanXHX/ansible-nginx/releases/tag/1.9.0)) | 
 | Debian Buster (10)   | Yes     | Yes                     |
 | Debian Bullseye (11) | Yes     | Yes                     |
-| Debian Bookworm (12) | Yes     | Not yet :)                                                                                           |
+| FreeBSD 11           | Yes     | No                      |
-| FreeBSD 11           | NA      | No                                                                                                   |
+| FreeBSD 12           | Yes     | No                      |
 | FreeBSD 12           | NA      | No                                                                                                   |
 | Ubuntu 20.04         | Yes     | Yes                                                                                                  |
 | Ubuntu 22.04         | Yes     | Yes                                                                                                  |
 Requirements
 ------------
@ -69,7 +66,6 @@ FreeBSD:
 - `nginx_pid`: daemon pid file
 - `nginx_events_*`: all variables in events block
 - `nginx_http_*`: all variables in http block
 - `nginx_custom_core`: instructions list (for core, will put data in `/etc/nginx/nginx.conf`)
 - `nginx_custom_http`: instructions list (will put data in `/etc/nginx/conf.d/custom.conf`)
 - `nginx_module_packages`: package list module to install (Debian)
 - `nginx_load_modules`: module list to load (full path), should be used only on FreeBSD
@ -103,33 +99,22 @@ Fine configuration
 Note
 ----
- Active support for Debian/Ubuntu.
+- Active support for Debian.
- FreeBSD support is experimental. I only test (for the moment) 10.2 (but it can work on other versions).
+- FreeBSD support is experimental (no Travis). I only test (for the moment) 10.2 (but it can work on other versions).
 Dependencies
 ------------
-See: [requirements.yml](requirements.yml).
+None
-If you need to dev this role locally on Vagrant
+If you need to dev this role locally
------------------------------------------------
+------------------------------------
 Before use vagrant, run once:
 ```commandline
 ansible-galaxy install -p ./tests/ HanXHX.php,master
 ```
-
+ansible-galaxy install -p ./tests/ HanXHX.php,master
 If you need to dev this role locally with molecule
 --------------------------------------------------
 Check available scenarios in [molecule](molecule) directory.
 With `debian-12` scenario:
 ```commandline
 molecule -v -c molecule/_shared/base.yml verify -s debian-12
 ```
 Example Playbook
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -84,7 +84,6 @@ nginx_http_gzip_disable: '"msie6"'
 # Custom global configuration
 #
 nginx_custom_http: []
 nginx_custom_core: []
 #
 # Nginx default
--- a/doc/ssl.md
+++ b/doc/ssl.md
@ -8,7 +8,7 @@ Variables
 - `nginx_dh`: DH content
 - `nginx_dh_length`: DH key length (default is 2048)
- `nginx_dh_path`: file location
+- `nginx_dh_path`: file localation
 - `nginx_ssl_dir`: directory where you install your SSL/TLS keys
 - `nginx_ssl_pairs`
@ -20,7 +20,7 @@ Note: `name` is used to deploy key/cert. With defaults values dans `name` = "foo
 ### Content mode
-Key/Cert content is stored in variable. Useful with vault.
+Key/Cert content is stored in variable. Usefull with vault.
 - `key`: content of the private key
 - `cert`: content of the public key
@ -36,7 +36,7 @@ You can use these variables if you use another task/role to manages your certifi
 Create a self-signed pair and deploy it. Do not use this feature in production.
- `self_signed`: set true to use this feature
+- `self_signed`: set true to use this featrure
 - `force`: optional feature (default: false), force regen pair (not idempotent)
 ### Acme
@ -45,7 +45,7 @@ Uses acme.sh to create free certificates. It uses HTTP-01 challenge. Use this fe
 - `acme`: set true to use this feature. It uses `name` (can be a string or string list).
-Have a look to [acme configuration](acme.md configuration).
+Have a look to [acme configuratuion](acme.md configuration).
 Tips
 ----
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -1,14 +1,46 @@
 ---
 - name: Reload nginx
  ansible.builtin.command: nginx -t
  notify:
    - Real-reload nginx
    - Docker reload nginx
 - name: Restart nginx
  ansible.builtin.command: nginx -t
  notify:
    - Real-restart nginx
    - Docker restart nginx
 - name: Real-reload nginx
  ansible.builtin.service:
    name: nginx
    state: reloaded
  when: ansible_virtualization_type != 'docker'
- name: Restart nginx
+- name: Real-restart nginx
  ansible.builtin.service:
    name: nginx
    state: restarted
  when: ansible_virtualization_type != 'docker'
 - name: Docker reload nginx
  ansible.builtin.command: service nginx reload
  args:
    warn: false
  when: ansible_virtualization_type == 'docker'
 - name: Docker restart nginx
  ansible.builtin.command: service nginx restart
  args:
    warn: false
  when: ansible_virtualization_type == 'docker'
 - name: Restart nginx freebsd
  ansible.builtin.service:
    name: nginx
    state: restarted
  when: ansible_distribution == "FreeBSD"
 - name: Setup
  ansible.builtin.setup:
--- a/meta/main.yml
+++ b/meta/main.yml
@ -13,11 +13,6 @@ galaxy_info:
      versions:
        - buster
        - bullseye
        - bookworm
    - name: Ubuntu
      versions:
        - focal
        - jammy
    - name: FreeBSD
      versions:
        - '11.0'
--- a/molecule/_shared/Dockerfile.j2
+++ b/molecule/_shared/Dockerfile.j2
@ -1,19 +0,0 @@
 # Molecule managed
 {% if item.registry is defined %}
 FROM {{ item.registry.url }}/{{ item.image }}
 {% else %}
 FROM {{ item.image }}
 {% endif %}
 {% if item.env is defined %}
 {% for var, value in item.env.items() %}
 {% if value %}
 ENV {{ var }} {{ value }}
 {% endif %}
 {% endfor %}
 {% endif %}
 RUN apt-get update && \
 	apt-get install -y python3 sudo bash ca-certificates iproute2 python-apt-common \
 	&& apt-get clean
--- a/molecule/_shared/base.yml
+++ b/molecule/_shared/base.yml
@ -1,39 +0,0 @@
 ---
 scenario:
  test_sequence:
    - dependency
    - syntax
    - create
    - prepare
    - converge
    - idempotence
    - verify
    - destroy
 dependency:
  name: galaxy
  options:
    requirements-file: ./molecule/_shared/requirements.yml
    role-file: ./molecule/_shared/requirements.yml
 driver:
  name: docker
 role_name_check: 1
 provisioner:
  name: ansible
  env:
    ANSIBLE_FILTER_PLUGINS: "../../filter_plugins"
  config_options:
    defaults:
      deprecation_warnings: false
      callback_whitelist: timer,profile_tasks
      fact_caching: jsonfile
      fact_caching_connection: ./cache
      forks: 100
    connection:
      pipelining: true
  playbooks:
    converge: ../_shared/converge.yml
    prepare: ../_shared/prepare.yml
    verify: ../_shared/verify.yml
 verifier:
  name: ansible
--- a/molecule/_shared/converge.yml
+++ b/molecule/_shared/converge.yml
@ -1,20 +0,0 @@
 ---
 - name: Converge
  hosts: all
  gather_facts: true
  vars_files:
    - vars/misc.yml
  vars:
    nginx_debug_role: true
  tasks:
    - name: SHELL | Get ngrok public address
      ansible.builtin.shell: set -o pipefail && curl 'http://127.0.0.1:4040/api/tunnels/command_line' 2> /dev/null | jq -r '.public_url' | cut -d '/' -f 3
      args:
        executable: /bin/bash
      register: ngrok
      changed_when: false
    - name: Include role
      ansible.builtin.include_role:
        name: "hanxhx.nginx"
--- a/molecule/_shared/file/test.crt
+++ b/molecule/_shared/file/test.crt
@ -1,19 +0,0 @@
 -----BEGIN CERTIFICATE-----
 MIIDHTCCAgWgAwIBAgIJAJzUwbFlhyxIMA0GCSqGSIb3DQEBCwUAMCUxIzAhBgNV
 BAMMGnRlc3Qtc3NsLXByZWRlcGxveWVkLmxvY2FsMB4XDTE2MDExMjE2MDUxNVoX
 DTI2MDEwOTE2MDUxNVowJTEjMCEGA1UEAwwadGVzdC1zc2wtcHJlZGVwbG95ZWQu
 bG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDm4q94vffiU89G
 GO7rjDfr3C32tH9sM5sXqJT+7N5BLYLF0iSRIvy33MtwFu//TV3f+8nLlQuHYVVk
 L6NEvaL8lh+nRexCQ/y+aXMh7lMhuwPXGgPR1LXsTqyDXbmV9c7k/Kwx5qHAcOb9
 d9YzmcOSO4M9v3WMl/4Zw2J7zNYruypxNBgFEwFx3NJ3AztACMYoVOIR5mS8ARX6
 xea4ddii1F41Vch+eiCGP9VZwDhEujhjy9PXvdBtYNwggM6d82Df9wwaFyIW5DU4
 PhpgAngvE2keY0GLy/LaXa6LAW+TCfPMRT2RtDuvqWr+useWF+O3n81TZqM/G7LV
 9iPxkkRNAgMBAAGjUDBOMB0GA1UdDgQWBBSzXW5UY02/S0xrrobZCVOhas6VeDAf
 BgNVHSMEGDAWgBSzXW5UY02/S0xrrobZCVOhas6VeDAMBgNVHRMEBTADAQH/MA0G
 CSqGSIb3DQEBCwUAA4IBAQC0+Tr0w9aG4f3LG3+WRGKfMopKICNEkA7JrPrvVUq8
 7UgtdrpOUZAL5AKxVVo1rHDdoL/VpjdqHdhyPzaSUl8hppCFsWmdQh4wLKGoyvcN
 AqSGpXTeLSoFJ357F2OIQpXm2lfT2fVGebwyCNFkwpp7klFnmOusSl2/v5Y5cz+A
 WvWrDg3jsNglx3mNLVcjbOSnen2PsZSmcVo27D0el6oDju8jjstyJ+Dvu0WP+CDL
 s/VolFdbei7d4r2dj86OZ/BCZurltyc0wI3NMOdUuA7q4f1MPTRu7qr/ua5ItK92
 Avc+Gjn/Y/aIhzKpPicJQDK6FzxjfhCc8xtk0EjB4IpP
 -----END CERTIFICATE-----
--- a/molecule/_shared/file/test.key
+++ b/molecule/_shared/file/test.key
@ -1,28 +0,0 @@
 -----BEGIN PRIVATE KEY-----
 MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDm4q94vffiU89G
 GO7rjDfr3C32tH9sM5sXqJT+7N5BLYLF0iSRIvy33MtwFu//TV3f+8nLlQuHYVVk
 L6NEvaL8lh+nRexCQ/y+aXMh7lMhuwPXGgPR1LXsTqyDXbmV9c7k/Kwx5qHAcOb9
 d9YzmcOSO4M9v3WMl/4Zw2J7zNYruypxNBgFEwFx3NJ3AztACMYoVOIR5mS8ARX6
 xea4ddii1F41Vch+eiCGP9VZwDhEujhjy9PXvdBtYNwggM6d82Df9wwaFyIW5DU4
 PhpgAngvE2keY0GLy/LaXa6LAW+TCfPMRT2RtDuvqWr+useWF+O3n81TZqM/G7LV
 9iPxkkRNAgMBAAECggEAEEeZkczrRpUcP1gQuKEZbFMJFqUhevKkk+V6JAN1pGje
 GK65j1ZFNX2nBo9Hetvsq5doYidvOat+RuMpAvbQIDlBoBzJDN8YWiC7UoAocm9q
 VOdrr4btEO13MogQRuefH/xE8/vMGfKcBvFFNDw6UvxJQ7hVRIWPECf7sLj/vPOC
 OpMKghxcabQqidMPKyyHVPhQjuIvqW/SqBFpD+Ul0Ja1QGdx+p+/EwVmXnei6Kr8
 /ypULreHqIlBLD6McfFehxDV0m5U7qXb5xK3zdUurIhZixKLjbdRrorNInfEvlOh
 vDy+hsF5GSzvn9dRrMAy/QcRPpXU47VNYZ5BfdCBTQKBgQD8VCbdpG5siXSlIjZd
 xypgK1ttp8udTPWC1trnAc+Ku9O+cGmvABxYJA1iR/GDpSfMxglB7OhSecywKrr+
 S7Yjs9e/dyBmvF7U15JJaGp+db2Ct64z7MvqkwSJ5a0qrrZJRFetDdqdH9FPvURs
 B147jbKsPiGcljjXbZlOBHJH9wKBgQDqPqoA3VqYOmvR7Ei8/skY2EOpFpOhSNko
 ARFwUsDNHRk677URH97TCHq5UrwubfCeIcIptXHrMfaTsfq8vPLPykReIMRaknxf
 DULJPHSoeBLrCAZmaWF1JVyYhrLhHNAzQ3u7a/kYIJm87FEZy3Ml6FSZmIGbRBqx
 zqZYKoHs2wKBgQD469tbk7cLg556uYGAidYYAS20w29uwlkAtgxFD9g6OIjuud7I
 MQfFO+uoJOjwwaC9ti+zxY56roVq1PybmP0Zw3T3AQIJ15KFzhQWLte/4U8PATzt
 JJEV2+sCTn3COZDCPpVvttcPYjAOxdwV5j7j6Sl2GeT2oIt6mjg+asyCiQKBgQDk
 LPxu8TBRfv8OMqs8Jrf/EpL9/7b48bxOwpOZJZMXelPcXCm1r6TfTrA1HAmg9Ijh
 kKLQ/CUm5Ll7b3B+L1Qa4r2sLyD11SF/eaxn2BMPFD/hYCTT160ObsF+9h8DN4z7
 kq3RiMDRJth69nuds9fLwj++ipcdhr62G0VgNq/u5wKBgCz/I5J3tPNjrU9YampR
 0gNnUkUfJWbiVMsG9uwL9l0L/ZzQHvELJ523QXQ0v/e/szHCyoX319u8HEQlC0Jw
 Twlj81HDZzruDUB/mcH6Ee3zHKOmmF6ma+CgoYJJElKW89MUttPdmkH2J1QqLz+7
 EGREwqjr8/wm22DzKNiyDXJ0
 -----END PRIVATE KEY-----
--- a/molecule/_shared/prepare.yml
+++ b/molecule/_shared/prepare.yml
@ -1,15 +0,0 @@
 ---
 - name: Prepare
  hosts: all
  gather_facts: true
  vars_files:
    - vars/misc.yml
  tasks:
    - name: INCLUDE_TASKS | Pre tasks related to OS
      ansible.builtin.include_tasks: "../../tests/includes/pre_{{ ansible_os_family }}.yml"
    - name: INCLUDE_TASKS | Pre_tasks common
      ansible.builtin.include_tasks: "../../tests/includes/pre_common.yml"
--- a/molecule/_shared/requirements.yml
+++ b/molecule/_shared/requirements.yml
@ -1,7 +0,0 @@
 ---
 roles:
  - name: hanxhx.php
 collections:
  - community.general
--- a/molecule/_shared/templates/custom_template.conf.j2
+++ b/molecule/_shared/templates/custom_template.conf.j2
@ -1,16 +0,0 @@
 # {{ ansible_managed }} - custom template
 server {
 	listen 80;
 	listen 8888 http2;
 	listen 9999 http2 proxy_protocol;
 	server_name {{ item.name }};
 	index index.html index.htm;
 	root {{ item.root }};
 	location / {
 		try_files $uri $uri/ =404;
 	}
 }
--- a/molecule/_shared/vars/misc.yml
+++ b/molecule/_shared/vars/misc.yml
@ -1,259 +0,0 @@
 ---
 # Force SysVinit, since systemd won't work in a Docker container
 ansible_service_mgr: "sysvinit"
 # ----------------------------------------
 # Copied from {role_dir}/tests/group_vars/all.yml
 # ----------------------------------------
 # Internal vars
 int_ansible_ssl_dir: '/etc/ansible-ssl'
 # Role vars
 nginx_worker_processes: 1    # Ansible+FreeBSD can't detect CPU number
 nginx_apt_package: 'nginx-extras'
 nginx_module_packages: ['libnginx-mod-http-headers-more-filter']
 nginx_custom_core:
  - 'worker_rlimit_nofile 4242;'
 nginx_upstreams:
  - name: 'test'
    servers:
      - path: '127.0.0.1:80'
        max_conns: 150
        weight: 10
        down: false
  - name: 'test-absent'
    servers:
      - path: '127.0.0.1:80'
        max_conns: 150
        weight: 10
        down: false
    state: 'absent'
 nginx_htpasswd:
  - name: 'hello'
    description: 'Please login!'
    users:
      - name: 'hx'
        password: 'asdfg'
        state: 'absent'
      - name: 'hanx'
        password: 'qwerty'
  - name: 'deleteme'
    description: 'Please login!'
    users: []
    state: 'absent'
 nginx_acmesh: true
 nginx_acmesh_test: true
 nginx_ssl_pairs:
  - name: '{{ ngrok.stdout }}'
    acme: true
  - name: 'test-ssl-selfsigned.local'
    self_signed: true
    force: false
  - name:
      - 'test-ssl-predeployed.local'
      - 'test-multiple-name.local'    # Hack: tests for acme with multiple name, without using acme
    dest_key: "{{ int_ansible_ssl_dir }}/test.key"
    dest_cert: "{{ int_ansible_ssl_dir }}/test.crt"
  - name: 'test-ssl.local'
    key: |
      -----BEGIN RSA PRIVATE KEY-----
      MIIEpAIBAAKCAQEAvavrJWFp3Al2VwRgKx+4Y2mbRRvoxvyd2pyN0xMJ/tCJscaG
      8s60v6WZ9FcCOeMkSI2DXsk4z7pbQdQn0h2GDr/5MOJkPAVWSWEN46tpaLZ3v0zp
      88ZIbnEk1G0PsdFuW/pnLsakPlAMrl1VArFsV6YsatLt30UIYYcRO97StkoOehCx
      A5w+XqtfHZeQZ0/DS81633gwYUcMuSTUFZ60r7ge1/m77DTSKg3rTVk5sebP8cjS
      +aWHvxP/GyvvDsT+3gjRJx2/5O3JkfH0zaOsaU2Avj0PR0c5rhynrNO/l1k+GJJB
      cbBrM+yA8Ofzp4oXUrCfaIq3RuL3Pd+khcKsiwIDAQABAoIBAQCPpAMQ7BUfbosQ
      m1+5SOx7XR8Z12kSSX3CcY12rJSFRakB2TeZ6rE38lIFmV82N67iw0kaH4nGx3sU
      /3aoyXMc+IXfX5RJYEFYkQfTw5ywkH9fgQAsfZ2dBlK+DVo1cEYDoj9CTW1VQ4pX
      Ape+0l8agd5hiBxdWgpe0ctbbARnx584viLiA/iPBDNxKi9zEYw+WP7hSj5QWahr
      a09tubcC4L6tjvv8CoZTRSKfCW64vWRDvE6vmA+zJN9Arc1WTYzF1KO1Gybwf8h7
      stJb191smAgGDFhKo0j58ncyAnrS1k4mapm86QQhlfIA6DKvvC0qm3KdQns5b7HM
      PyzW0hwBAoGBAO2mTVTOsziom9vtBwM0nRMMEgynR2X3EKMJz2mjcCf66f1F+aQ5
      DvQFM2V8S2s1nGnPh8NKKZ8DxW1NKuR4qx82zeAXpUs9ibHxOnw4YRC485zqc2Wt
      fSO1OEDYeKyzWP1nGGtCntYUXzJnWn/wz0mBGKzLKTuLwyFIKx1b7bybAoGBAMxR
      N+lT57rX6d4GUqcgNOuWMZ/D8egnE5+hsoiFnHOisRLOgUgBBSy4rwAZx+rdHYT+
      RO11L1PLYEzyvnO0f13R+N7aqKwNXDSzZGA+jb4pjkVidIC2smG/JYKJH5Z+kakw
      mwMKP0wdRZJsCaMgScHmWJS8d6Ox/XJJoWrTWTbRAoGAWJlEgVaiaIArwz1F/QLz
      gHNik0cWDkSi9jWlFxwwpycbbypUXM5M7dq2g6JoN6sACk6trbgLdlYgl5RKZm06
      VuPGs0H9hOSHXkix5jfasDJT2G9r4D9ixRo9w6cwriobBjYWW3612tgzeYYgrkwn
      655uhZUkZSfA8rqGIGbyZfsCgYAf5WH8G+wmIATTc1s92epJCOZwUY+XNVp75itP
      4sPczX4lOHW4PuiG5cH0GxI5mRE9rNAn3c5on2xGNvMCbyAfDmNyruH8Eg3d8E9w
      MvO/xw79x/P2EA9i8QszCKMUxGeK6RqZ6+SbxkoRJKqQe77n9UTI228179hoGhSH
      77ySsQKBgQC8SSZn6a8PpSIIFXB9WCFMwfGFYbUz0wvpaeZP8GKx3BEzMeJqSUaJ
      hrQgpwQXkueeamlCQcvV3AUCoBRWTYRLDrWiUIXuIgikDWBFp6TBvTnVRI7iktly
      fNED7jXOSjJqnFmdkZlAI5V8dM++mVYVykJD6jcaVRQvxqFLrhSaRg==
      -----END RSA PRIVATE KEY-----
    cert: |
      -----BEGIN CERTIFICATE-----
      MIIDBTCCAe2gAwIBAgIJALKJfbk5vuieMA0GCSqGSIb3DQEBBQUAMBkxFzAVBgNV
      BAMMDnRlc3Qtc3NsLmxvY2FsMB4XDTE2MDExMTE2NDI0NFoXDTI2MDEwODE2NDI0
      NFowGTEXMBUGA1UEAwwOdGVzdC1zc2wubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUA
      A4IBDwAwggEKAoIBAQC9q+slYWncCXZXBGArH7hjaZtFG+jG/J3anI3TEwn+0Imx
      xobyzrS/pZn0VwI54yRIjYNeyTjPultB1CfSHYYOv/kw4mQ8BVZJYQ3jq2lotne/
      TOnzxkhucSTUbQ+x0W5b+mcuxqQ+UAyuXVUCsWxXpixq0u3fRQhhhxE73tK2Sg56
      ELEDnD5eq18dl5BnT8NLzXrfeDBhRwy5JNQVnrSvuB7X+bvsNNIqDetNWTmx5s/x
      yNL5pYe/E/8bK+8OxP7eCNEnHb/k7cmR8fTNo6xpTYC+PQ9HRzmuHKes07+XWT4Y
      kkFxsGsz7IDw5/OnihdSsJ9oirdG4vc936SFwqyLAgMBAAGjUDBOMB0GA1UdDgQW
      BBRaSF1L+ivPhmIVGQjtviBqZWDS9DAfBgNVHSMEGDAWgBRaSF1L+ivPhmIVGQjt
      viBqZWDS9DAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQCjrgB9+Zuq
      Rx7T2mRUl4jf75dLabuBQD0ePALTtvNyBSghhzSr90mE7GlFOYAv0JsmEa3R1LVF
      wLPIdrIhNHpt7hN0PkhUlfgmxBnRSCfhpiq4xxsDVFM7ehtDz4+dv1LUDMXo07+E
      f24g9aqmypiFzHisUQrYIhtQmHxRpKyGp6kDAW9qNxg6k/Um00aHdYfuD9ER4ksR
      f8Hto7f+vssKxCRY2OZXqq13PxEwC5+hgAUkTdrycA/moXFuHJi3lCnCND7sSzvG
      tXBggOusyFZFC4bs2m+V+Z+RN+tK2c/c0nq5HR8MV5HwIm4Z8GoT2/0BfJ00cgWL
      lVz0gDBfdH8f
      -----END CERTIFICATE-----
 nginx_custom_http:
  - 'add_header X-ansible 1;'
  - 'geoip_country {% if ansible_os_family == "Debian" %}/usr/share/GeoIP/GeoIP.dat{% else %}/usr/local/share/GeoIP/GeoIP.dat{% endif %};'
  - 'map $geoip_country_code $allowed_country {'
  - '    default yes;'
  - '    MA no;'
  - '    DZ no;'
  - '    TN no;'
  - '}'
 nginx_default_site: 'test.local'
 nginx_default_site_ssl: 'test-ssl-predeployed.local'
 nginx_sites:
  - name:
      - 'test.local'
      - 'test-alias.local'
      - 'test2-alias.local'
    template: '_base'
    filename: 'first-test'
    override_try_files: '$uri/ $uri =404'
    headers:
      'X-Frame-Options': 'deny always'
      'X-ansible-default': '1'
    manage_local_content: false
    use_error_log: true
    more:
      - 'autoindex off;'
    location:
      '/test':
        - 'return 403;'
      '/gunther':
        - 'return 404;'
      '/status':
        - 'stub_status on;'
        - 'access_log off;'
        - 'allow 127.0.0.1;'
        - 'deny all;'
  - name: 'test-htpasswd.local'
    template: '_base'
    location_before:
      '/hello':
        - htpasswd: 'hello'
    location:
      '/public':
        - htpasswd: false
    use_error_log: true
  - name: 'test-htpasswd-all.local'
    template: '_base'
    htpasswd: 'hello'
  - name: 'test-location.local'
    template: '_base'
    location_before:
      '/b':
        - 'alias /var/tmp;'
      '/c':
        - 'alias /var/tmp;'
    location:
      '/':
        - 'alias /var/tmp;'
      '/a':
        - 'alias /var/tmp;'
    location_order_before:
      - '/b'
      - '/c'
    location_order:
      - '/'
      - '/a'
  - name: 'test-php.local'
    php_upstream: "manual"
    upstream_params:
      - 'fastcgi_param FOO bar;'
    redirect_from:
      - 'www.test-php.local'
    template: '_php'
    use_error_log: true
    use_access_log: true
  - name: 'test-php-index.local'
    template: '_php_index'
    php_upstream: 'hx_unix'
  - name: 'test-php-index2.local'
    template: '_php_index2'
    php_upstream: 'hx_ip'
  - name: 'test-proxy.local'
    listen:
      - 8080
    template: '_proxy'
    upstream_name: 'test'
    headers:
      'X-proxyfied': '1'
  - name: 'deleted.local'
    state: 'absent'
  - name: 'redirect-to.local'
    redirect_to: 'http://test.local'
  - name: 'test-ssl.local'
    proto: ['http', 'https']
    template: '_base'
  - name:
      - 'test-ssl-selfsigned.local'
      - 'www.test-ssl-selfsigned.local'
    proto: ['http', 'https']
    template: '_base'
    hsts: 'max-age=1664;'
  - name: 'test-ssl-predeployed.local'
    proto: ['http', 'https']
    template: '_base'
    ssl_name: 'test-ssl-predeployed.local'
    headers:
      'X-ansible-default': '1'
    ssl_template: false
  - name: 'test-ssl-redirect.local'
    proto: ['https']
    template: '_base'
    ssl_name: 'test-ssl.local'
    redirect_https: true
  - name:
      - 'test-ssl-redirect-many.local'
      - 'test-ssl-redirect-many2.local'
    listen_ssl: [8443]
    proto: ['https']
    template: '_base'
    ssl_name: 'test-ssl.local'
    redirect_https: true
    redirect_from:
      - 'www.test-ssl-redirect-many.local'
      - 'www.test-ssl-redirect-many2.local'
  - name: 'test-ssl-proxy-protocol.local'
    proto: ['http', 'https']
    listen_proxy_protocol: [20080]
    listen_proxy_protocol_ssl: [20443]
    template: '_base'
    ssl_name: 'test-ssl.local'
    headers:
      'X-Proxy-Protocol': '1'
  - name: '{{ ngrok.stdout }}'
    proto: ['http', 'https']
    listen_proxy_protocol: [21080]
    listen_proxy_protocol_ssl: [21443]
    template: '_base'
    ssl_name: '{{ ngrok.stdout }}'
    headers:
      'X-acme': '1'
  - name: 'test-custom-template.local'
    custom_template: 'templates/custom_template.conf.j2'
    root: '/tmp/custom-template'
 nginx_php: "{{ [{'upstream_name': 'manual', 'sockets': [{'host': '127.0.0.1', 'port': '9636'}]}] }}"
 nginx_dh_length: 1024
--- a/molecule/_shared/verify.yml
+++ b/molecule/_shared/verify.yml
@ -1,19 +0,0 @@
 ---
 - name: Verify
  hosts: all
  gather_facts: true
  vars_files:
    - vars/misc.yml
  vars:
    nginx_root: "/srv/www"
  tasks:
    - name: SHELL | Get ngrok public address
      ansible.builtin.shell: set -o pipefail && curl 'http://127.0.0.1:4040/api/tunnels/command_line' 2> /dev/null | jq -r '.public_url' | cut -d '/' -f 3
      args:
        executable: /bin/bash
      register: ngrok
      changed_when: false
    - name: INCLUDE_TASKS | Post_tasks common
      ansible.builtin.include_tasks: "../../tests/includes/post_common.yml"
--- a/molecule/debian-10/molecule.yml
+++ b/molecule/debian-10/molecule.yml
@ -1,13 +0,0 @@
 ---
 platforms:
  - name: debian-10
    image: dokken/debian-10
    command: /lib/systemd/systemd
    dockerfile: ../_shared/Dockerfile.j2
    capabilities:
      - SYS_ADMIN
    cgroupns_mode: host
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:rw
    privileged: true
--- a/molecule/debian-11/molecule.yml
+++ b/molecule/debian-11/molecule.yml
@ -1,13 +0,0 @@
 ---
 platforms:
  - name: debian-11
    image: dokken/debian-11
    command: /lib/systemd/systemd
    dockerfile: ../_shared/Dockerfile.j2
    capabilities:
      - SYS_ADMIN
    cgroupns_mode: host
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:rw
    privileged: true
--- a/molecule/debian-12/molecule.yml
+++ b/molecule/debian-12/molecule.yml
@ -1,13 +0,0 @@
 ---
 platforms:
  - name: debian-12
    image: dokken/debian-12
    command: /lib/systemd/systemd
    dockerfile: ../_shared/Dockerfile.j2
    capabilities:
      - SYS_ADMIN
    cgroupns_mode: host
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:rw
    privileged: true
--- a/molecule/default/.gitkeep
+++ b/molecule/default/.gitkeep
--- a/molecule/ubuntu-20.04/molecule.yml
+++ b/molecule/ubuntu-20.04/molecule.yml
@ -1,20 +0,0 @@
 ---
 platforms:
  - name: ubuntu-20.04
    image: dokken/ubuntu-20.04
    command: /lib/systemd/systemd
    dockerfile: ../_shared/Dockerfile.j2
    capabilities:
      - SYS_ADMIN
    cgroupns_mode: host
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:rw
    privileged: true
 # Segfault on Ubuntu 20.04 with `nginx-extras` package...
 provisioner:
  inventory:
    host_vars:
      ubuntu-20.04:
        nginx_apt_package: 'nginx-full'
--- a/molecule/ubuntu-22.04/molecule.yml
+++ b/molecule/ubuntu-22.04/molecule.yml
@ -1,13 +0,0 @@
 ---
 platforms:
  - name: ubuntu-22.04
    image: dokken/ubuntu-22.04
    command: /lib/systemd/systemd
    dockerfile: ../_shared/Dockerfile.j2
    capabilities:
      - SYS_ADMIN
    cgroupns_mode: host
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:rw
    privileged: true
--- a/requirements.yml
+++ b/requirements.yml
@ -1,4 +0,0 @@
 ---
 collections:
  - community.general
--- a/tasks/install/Debian.yml
+++ b/tasks/install/Debian.yml
@ -14,7 +14,7 @@
 - name: APT | Install nginx and dependencies
  ansible.builtin.apt:
    pkg: "{{ nginx_apt_package }}"
-    default_release: "{{ ansible_distribution_release + '-backports' if (nginx_backports and ansible_distribution == 'Debian') else ansible_distribution_release }}"
+    default_release: "{{ ansible_distribution_release + '-backports' if nginx_backports else ansible_distribution_release }}"
 - name: APT | Install nginx modules
  ansible.builtin.apt:
--- a/tasks/install/FreeBSD.yml
+++ b/tasks/install/FreeBSD.yml
@ -21,17 +21,20 @@
      ansible.builtin.command: touch /usr/local/etc/fdfs/http.conf
      args:
        creates: /usr/local/etc/fdfs/http.conf
-      notify: Restart nginx
+      register: fd1
    - name: LINEINFILE | Tune fdfs
-      ansible.builtin.lineinfile:
+      ansible.builtin.lineinansible.builtin.file:
        regexp: ^load_fdfs_parameters_from_tracker
        line: load_fdfs_parameters_from_tracker=false
        path: /usr/local/etc/fdfs/mod_fastdfs.conf
-      notify: Restart nginx
+      register: fd2
-    - name: META | Flush handlers (Restart nginx when fdfs is tuned)
+    - name: SERVICE | Restart nginx when fdfs is tuned
-      ansible.builtin.meta: flush_handlers
+      ansible.builtin.service:
        name: nginx
        state: restarted
      when: fd1.changed or fd2.changed
 - name: FILE | Create configuration dir (like Debian)
  ansible.builtin.file:
--- a/tasks/install/main.yml
+++ b/tasks/install/main.yml
@ -1,7 +1,7 @@
 ---
 - name: INCLUDE_TASKS | Install
-  ansible.builtin.include_tasks: "{{ ansible_os_family }}.yml"
+  ansible.builtin.include_tasks: "{{ ansible_distribution }}.yml"
 - name: IMPORT_TASKS | acme
  ansible.builtin.import_tasks: "acme.yml"
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -1,7 +1,7 @@
 ---
 - name: INCLUDE_VARS | Related to OS
-  ansible.builtin.include_vars: "{{ ansible_os_family }}.yml"
+  ansible.builtin.include_vars: "{{ ansible_distribution }}.yml"
  tags: ['nginx::site', 'nginx::ssl']
 - name: INCLUDE_TASKS | Install
--- a/tasks/site.yml
+++ b/tasks/site.yml
@ -49,7 +49,7 @@
    mode: 0644
    owner: root
    group: root
-  notify: 'Reload nginx'
+  notify: ['Reload nginx', 'Restart nginx freebsd']
  when: (item.state is not defined or item.state != 'absent') and item.custom_template is not defined
  loop: "{{ nginx_sites }}"
  loop_control:
@ -62,7 +62,7 @@
    mode: 0644
    owner: root
    group: root
-  notify: 'Reload nginx'
+  notify: ['Reload nginx', 'Restart nginx freebsd']
  when: (item.state is not defined or item.state != 'absent') and item.custom_template is defined
  loop: "{{ nginx_sites }}"
  loop_control:
@ -73,7 +73,7 @@
    path: "{{ nginx_etc_dir }}/{{ item.1 }}/{{ item.0 | nginx_site_filename }}"
    state: absent
  loop: "{{ nginx_sites | product(dirs) | list }}"
-  notify: 'Reload nginx'
+  notify: ['Reload nginx', 'Restart nginx freebsd']
  when: item.0.state is defined and item.0.state == 'absent'
  vars:
    dirs: ['sites-available', 'sites-enabled']
@ -86,7 +86,7 @@
    dest: "{{ nginx_etc_dir }}/sites-enabled/{{ item | nginx_site_filename }}"
    state: link
  loop: "{{ nginx_sites }}"
-  notify: 'Reload nginx'
+  notify: ['Reload nginx', 'Restart nginx freebsd']
  when: >
    item.state is not defined or item.state == 'present'
  loop_control:
@ -97,7 +97,7 @@
    path: "{{ nginx_etc_dir }}/sites-enabled/{{ item | nginx_site_filename }}"
    state: absent
  loop: "{{ nginx_sites }}"
-  notify: 'Reload nginx'
+  notify: ['Reload nginx', 'Restart nginx freebsd']
  when: item.state is defined and item.state == 'disabled'
  loop_control:
    label: "{{ item | nginx_site_name }}"
@ -106,7 +106,7 @@
  ansible.builtin.file:
    path: "{{ nginx_etc_dir }}/sites-enabled/default"
    state: absent
-  notify: 'Reload nginx'
+  notify: ['Reload nginx', 'Restart nginx freebsd']
  when: nginx_default_site is not none
 - name: FILE | Auto set default site
@ -114,7 +114,7 @@
    src: "{{ nginx_etc_dir }}/sites-available/default"
    dest: "{{ nginx_etc_dir }}/sites-enabled/default"
    state: link
-  notify: 'Reload nginx'
+  notify: ['Reload nginx', 'Restart nginx freebsd']
  when: nginx_default_site is none
 - name: TEMPLATE | Deploy facts
--- a/tasks/ssl/acme.yml
+++ b/tasks/ssl/acme.yml
@ -29,27 +29,25 @@
        group: root
      loop: "{{ acme_create }}"
      register: fake_site
      notify: Restart nginx
-    - name: TEMPLATE | Create fake site
+    - name: FILE | Delete current site if needed
      ansible.builtin.template:
        src: "etc/nginx/conf.d/FAKESITE.conf.j2"
        dest: "/tmp/FAKESITE_{{ item | nginx_site_name }}.conf"
        mode: 0644
        owner: root
        group: root
      loop: "{{ acme_create }}"
    - name: FILE | Delete current site if needed  # noqa: no-handler
      ansible.builtin.file:
        path: "{{ nginx_etc_dir }}/sites-enabled/{{ item | nginx_site_name }}"
        state: absent
      loop: "{{ acme_create }}"
      when: fake_site.changed
      notify: Restart nginx
-    - name: META | Ensure nginx is restarted if needed
+    - name: SERVICE | Restart nginx
-      ansible.builtin.meta: flush_handlers
+      ansible.builtin.service:
        name: nginx
        state: restarted
      when: fake_site.changed and ansible_virtualization_type != 'docker'
    - name: COMMAND | Restart nginx
      ansible.builtin.command: service nginx restart
      args:
        warn: false
      when: fake_site.changed and ansible_virtualization_type == 'docker'
    - name: COMMAND | Get certificates
      ansible.builtin.command: |
--- a/tasks/ssl/standard.yml
+++ b/tasks/ssl/standard.yml
@ -11,16 +11,12 @@
    register: stat_dh_file
  - name: SHELL | Get info about DH file
-      ansible.builtin.shell: |
+    ansible.builtin.shell: openssl dhparam -in {{ nginx_dh_path }} -text -noout 2>&1 | awk '/DH Parameters/ { print substr($3, 2) }'
        set -o pipefail &&
        openssl dhparam -in {{ nginx_dh_path }} -text -noout 2>&1 | awk '/DH Parameters/ { print substr($3, 2) }'
      args:
        executable: /bin/bash
    changed_when: false
    register: dh_info
    when: stat_dh_file.stat.exists
-    - name: COMMAND | Generate DH file  # noqa: no-changed-when
+  - name: COMMAND | Generate DH file
    ansible.builtin.command: openssl dhparam -out {{ nginx_dh_path }} {{ nginx_dh_length }}
    when: not stat_dh_file.stat.exists or (dh_info.stdout | int != nginx_dh_length | int)
    notify: Restart nginx
--- a/templates/etc/nginx/helper/ssl-legacy.j2
+++ b/templates/etc/nginx/helper/ssl-legacy.j2
@ -1,23 +1,16 @@
 #
 # {{ ansible_managed }}
-# See: https://ssl-config.mozilla.org/#server=nginx&version=1.18.0&config=intermediate&openssl=1.1.1n&hsts=false&guideline=5.7
+#
-ssl_session_timeout 1d;
+ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
-ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+ssl_protocols TLSv1.1 TLSv1.2{% if nginx_version.stdout is version('1.13.0', 'ge') %} TLSv1.3{% endif %};
 ssl_prefer_server_ciphers on;
 ssl_session_cache shared:SSL:10m;
 ssl_session_tickets off;
 ssl_dhparam {{ nginx_dh_path }};
 # intermediate configuration
 ssl_protocols TLSv1.2 TLSv1.3;
 ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
 ssl_prefer_server_ciphers off;
 # OCSP stapling
 ssl_stapling on;
 ssl_stapling_verify on;
 # Replace with the IP address of your resolver
 resolver {{ nginx_resolver_hosts | join(' ') }} valid={{ nginx_resolver_valid }};
 resolver_timeout {{ nginx_resolver_timeout }};
 ssl_dhparam {{ nginx_dh_path }};
 # vim:filetype=nginx
--- a/templates/etc/nginx/helper/ssl-strong.j2
+++ b/templates/etc/nginx/helper/ssl-strong.j2
@ -1,21 +1,18 @@
 #
 # {{ ansible_managed }}
-# See: https://ssl-config.mozilla.org/#server=nginx&version=1.18.0&config=modern&openssl=1.1.1n&hsts=false&guideline=5.7
+#
-ssl_session_timeout 1d;
+ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384";
-ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+ssl_protocols TLSv1.2{% if nginx_version.stdout is version('1.13.0', 'ge') %} TLSv1.3{% endif %};
 ssl_prefer_server_ciphers on;
 ssl_ecdh_curve secp384r1;
 ssl_session_timeout 10m;
 ssl_session_cache shared:SSL:10m;
 ssl_session_tickets off;
 # modern configuration
 ssl_protocols TLSv1.3;
 ssl_prefer_server_ciphers off;
 # OCSP stapling
 ssl_stapling on;
 ssl_stapling_verify on;
 # Replace with the IP address of your resolver
 resolver {{ nginx_resolver_hosts | join(' ') }} valid={{ nginx_resolver_valid }};
 resolver_timeout {{ nginx_resolver_timeout }};
 ssl_dhparam {{ nginx_dh_path }};
 # vim:filetype=nginx
--- a/templates/etc/nginx/nginx.conf.j2
+++ b/templates/etc/nginx/nginx.conf.j2
@ -5,9 +5,6 @@
 user {{ nginx_user }};
 worker_processes {{ nginx_worker_processes }};
 pid {{ nginx_pid }};
 {% for i in nginx_custom_core %}
 {{ i }}
 {% endfor %}
 include {{ nginx_etc_dir }}/modules-enabled/*.conf;
 events {
--- a/tests/group_vars/all.yml
+++ b/tests/group_vars/all.yml
@ -6,8 +6,6 @@ int_ansible_ssl_dir: '/etc/ansible-ssl'
 nginx_worker_processes: 1    # Ansible+FreeBSD can't detect CPU number
 nginx_apt_package: 'nginx-extras'
 nginx_module_packages: ['libnginx-mod-http-headers-more-filter']
 nginx_custom_core:
  - 'worker_rlimit_nofile 4242;'
 nginx_upstreams:
  - name: 'test'
@ -104,7 +102,7 @@ nginx_ssl_pairs:
 nginx_custom_http:
  - 'add_header X-ansible 1;'
-  - 'geoip_country {% if ansible_os_family == "Debian" %}/usr/share/GeoIP/GeoIP.dat{% else %}/usr/local/share/GeoIP/GeoIP.dat{% endif %};'
+  - 'geoip_country {% if ansible_distribution == "Debian" %}/usr/share/GeoIP/GeoIP.dat{% else %}/usr/local/share/GeoIP/GeoIP.dat{% endif %};'
  - 'map $geoip_country_code $allowed_country {'
  - '    default yes;'
  - '    MA no;'
--- a/tests/includes/post_common.yml
+++ b/tests/includes/post_common.yml
@ -244,12 +244,14 @@
  ansible.builtin.shell: set -o pipefail && curl -I --haproxy-protocol http://test-ssl-proxy-protocol.local:20080 | grep -qi 'X-Proxy-Protocol'
  args:
    executable: /bin/bash
    warn: false
  changed_when: false
 - name: SHELL | Check HTTPS proxy protocol
  ansible.builtin.shell: set -o pipefail && curl -I --haproxy-protocol -k https://test-ssl-proxy-protocol.local:20443 | grep -qi 'X-Proxy-Protocol'
  args:
    executable: /bin/bash
    warn: false
  changed_when: false
 # --------------------------------
@ -260,3 +262,4 @@
  args:
    executable: /bin/bash
  changed_when: false
  when: nginx_auto_config_httpv2 and 'http_v2' in nginx_modules
--- a/tests/includes/pre_Debian.yml
+++ b/tests/includes/pre_Debian.yml
@ -1,13 +1,13 @@
 ---
 - name: APT_REPOSITORY | Install backports
-  ansible.builtin.apt_repository:
+  apt_repository:
    repo: 'deb http://httpredir.debian.org/debian {{ ansible_distribution_release }}-backports main'
    state: present
-  when: nginx_backports is defined and nginx_backports
+  when: nginx_backports
 - name: APT | Install needed packages
-  ansible.builtin.apt:
+  apt:
    pkg: "{{ packages }}"
    update_cache: true
    cache_valid_time: 3600
@ -24,7 +24,7 @@
      - unzip
 - name: APT | Install PHP
-  ansible.builtin.apt:
+  apt:
    pkg: "{{ pkgs }}"
    update_cache: true
    cache_valid_time: 3600
@ -35,39 +35,40 @@
      - php-fpm
 - name: SHELL | Get current PHP version
-  ansible.builtin.shell: php --version | awk '/^PHP/ { print $2 }' | grep -o -E '^.{3}'
+  shell: php --version | awk '/^PHP/ { print $2 }' | grep -o -E '^.{3}'
  changed_when: false
  register: cur_php_version
 # Bypasses Ansible+Docker issue. With service module... php is not really started!
 - name: COMMAND | Force start PHP
-  ansible.builtin.command: "service php{{ cur_php_version.stdout }}-fpm start"
+  command: "service php{{ cur_php_version.stdout }}-fpm start"
  args:
    creates: "/run/php/php{{ cur_php_version.stdout }}-fpm.pid"
    warn: false
 - name: GET_URL | Download ngrok
-  ansible.builtin.get_url:
+  get_url:
-    url: "https://bin.equinox.io/c/bNyj1mQVY4c/ngrok-v3-stable-linux-amd64.tgz"
+    url: "https://bin.equinox.io/c/4VmDzA7iaHb/ngrok-stable-linux-amd64.zip"
    dest: "/tmp/ngrok.zip"
 - name: UNARCHIVE | Uncompress ngrok
-  ansible.builtin.unarchive:
+  unarchive:
    src: "/tmp/ngrok.zip"
    dest: "/tmp"
    remote_src: true
 - name: SET_FACT | ngrok_path
-  ansible.builtin.set_fact:
+  set_fact:
    ngrok_path: '/tmp/ngrok'
 - name: USER | Create PHP User foo
-  ansible.builtin.user:
+  user:
    name: foo
    system: true
- name: INCLUDE_ROLE | hanxhx.php  # TODO: repair vagrant
+- name: INCLUDE_ROLE | hanxhx.php
-  ansible.builtin.include_role:
+  include_role:
-    name: "hanxhx.php"
+    name: "{{ playbook_dir }}/hanxhx.php"
  vars:
    php_version: "{{ cur_php_version.stdout }}"
    php_autoremove_default_pool: false
--- a/tests/includes/pre_common.yml
+++ b/tests/includes/pre_common.yml
@ -1,24 +1,34 @@
 ---
- name: COMMAND | Start ngrok
+- name: SHELL | Start ngrok
-  ansible.builtin.command: daemonize -l /tmp/ngrok.lock {{ ngrok_path }} http 80 --scheme http
+  shell: daemonize -l /tmp/ngrok.lock {{ ngrok_path }} http 80 -bind-tls=false
  failed_when: false
  changed_when: ngrok.stderr.find("Can't lock the lock file") == -1
  register: ngrok
- name: WAIT_FOR | ngrok started  # noqa: no-handler
+- name: WAIT_FOR | ngrok started
-  ansible.builtin.wait_for:
+  wait_for:
    delay: 2
    port: 4040
  when: ngrok.changed
 - name: SHELL | Get ngrok public address
-  ansible.builtin.shell: set -o pipefail && curl 'http://127.0.0.1:4040/api/tunnels/command_line' 2> /dev/null | jq -r '.public_url' | cut -d '/' -f 3
+  shell: set -o pipefail && curl 'http://127.0.0.1:4040/api/tunnels/command_line' 2> /dev/null | jq -r '.public_url' | cut -d '/' -f 3
  args:
    executable: /bin/bash
    warn: false
  register: ngrok
  changed_when: false
 - name: LINEINFILE | Tune vimrc
  lineinfile:
    line: "set mouse="
    dest: "{{ item }}/.vimrc"
    create: true
  loop:
    - /root
    - /home/vagrant
 - name: FILE | Create an internal SSL dir
  ansible.builtin.file:
    path: "{{ int_ansible_ssl_dir }}"
@ -27,16 +37,21 @@
    owner: root
    group: root
- name: COPY | Deploy test cert/key
+- name: COPY | Deploy test certificate
  ansible.builtin.copy:
-    src: "file/{{ item }}"
+    src: "file/test.crt"
-    dest: "{{ int_ansible_ssl_dir }}/{{ item }}"
+    dest: "{{ int_ansible_ssl_dir }}/test.crt"
    mode: 0640
    owner: root
    group: root
 - name: COPY | Deploy test key
  ansible.builtin.copy:
    src: "file/test.key"
    dest: "{{ int_ansible_ssl_dir }}/test.key"
    mode: 0640
    owner: root
    group: root
  loop:
    - 'test.key'
    - 'test.crt'
 - name: COPY | Add all hosts in /etc/hosts
  ansible.builtin.copy:
--- a/tests/test.yml
+++ b/tests/test.yml
@ -1,10 +1,10 @@
 ---
- name: Launch tests  # noqa: role-name[path]
+- name: Launch tests
  hosts: all
  pre_tasks:
    - name: INCLUDE_TASKS | Pre_tasks related to OS version
-      ansible.builtin.include_tasks: "includes/pre_{{ ansible_os_family }}.yml"
+      ansible.builtin.include_tasks: "includes/pre_{{ ansible_distribution }}.yml"
    - name: IMPORT_TASKS | Pre_tasks common
      ansible.builtin.import_tasks: "includes/pre_common.yml"
@ -14,7 +14,7 @@
  post_tasks:
    - name: INCLUDE_TASKS | Post_tasks related to OS version
-      ansible.builtin.include_tasks: "includes/post_{{ ansible_os_family }}.yml"
+      ansible.builtin.include_tasks: "includes/post_{{ ansible_distribution }}.yml"
    - name: IMPORT_TASKS | Post_tasks common
      ansible.builtin.import_tasks: "includes/post_common.yml"