From ab20d5b216c43b39f0d3a8e446c0cbd7ad45611b 2024-02-28 00:40:37 From: Branko Majic Date: 2024-02-28 00:40:37 Subject: [PATCH] MAR-192: Added support for Debian 12 Bookworm to web_server role: - Some tweaks had to be done to test the TLS, but it would be useful to revisit the TLS configuration in general in the future, and to modernise it for TLSv1.2 and TLSv1.3, especially once the supports for Debian 11 Bullseye is dropped. --- diff --git a/docs/rolereference.rst b/docs/rolereference.rst index 76c5943065288083947d16c0a7dcb40c3388ec97..b241b657499729909891cde634e8e04289dc787b 100644 --- a/docs/rolereference.rst +++ b/docs/rolereference.rst @@ -1503,6 +1503,7 @@ Distribution compatibility Role is compatible with the following distributions: - Debian 11 (Bullseye) +- Debian 12 (Bookworm) Examples diff --git a/roles/web_server/defaults/main.yml b/roles/web_server/defaults/main.yml index 7df4251cfd74b8b0233b713d00b5af2ddbd229ec..d67bdaf279eb21cf3bba8083f7e2d05c44634bb7 100644 --- a/roles/web_server/defaults/main.yml +++ b/roles/web_server/defaults/main.yml @@ -18,9 +18,11 @@ ECDHE-RSA-CHACHA20-POLY1305:\ # Internal parameters php_fpm_service_name_per_release: bullseye: "php7.4-fpm" + bookworm: "php8.2-fpm" php_base_config_dir_per_release: bullseye: "/etc/php/7.4" + bookworm: "/etc/php/8.2" php_fpm_package_name: "php-fpm" php_fpm_service_name: "{{ php_fpm_service_name_per_release[ansible_distribution_release] }}" diff --git a/roles/web_server/meta/main.yml b/roles/web_server/meta/main.yml index 4af6412181745036170b3efb07a43f2bf248b99a..245504b6d23d98e987293aa43d7e7a1ce635eaf8 100644 --- a/roles/web_server/meta/main.yml +++ b/roles/web_server/meta/main.yml @@ -12,3 +12,4 @@ galaxy_info: - name: Debian versions: - 11 + - 12 diff --git a/roles/web_server/molecule/default/molecule.yml b/roles/web_server/molecule/default/molecule.yml index 31d7637a380c4edf67ca976d743fac70785fe86a..0528862b5e501c99f5a732929b8e0369efb7f56f 100644 --- a/roles/web_server/molecule/default/molecule.yml +++ b/roles/web_server/molecule/default/molecule.yml @@ -15,7 +15,7 @@ lint: platforms: - name: client - box: debian/bullseye64 + box: debian/bookworm64 memory: 256 cpus: 1 provider_raw_config_args: @@ -56,6 +56,36 @@ platforms: network_name: private_network type: static + - name: parameters-mandatory-bookworm + groups: + - parameters-mandatory + - bookworm + box: debian/bookworm64 + memory: 512 + cpus: 1 + provider_raw_config_args: + - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']" + interfaces: + - auto_config: true + ip: 192.168.56.21 + network_name: private_network + type: static + + - name: parameters-optional-bookworm + groups: + - parameters-optional + - bookworm + box: debian/bookworm64 + memory: 512 + cpus: 1 + provider_raw_config_args: + - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']" + interfaces: + - auto_config: true + ip: 192.168.56.22 + network_name: private_network + type: static + provisioner: name: ansible playbooks: diff --git a/roles/web_server/molecule/default/prepare.yml b/roles/web_server/molecule/default/prepare.yml index b125fb39419c068c1fad7aec8582f085bf06470f..fde393deb195a6da362006e1843610168fb3f967 100644 --- a/roles/web_server/molecule/default/prepare.yml +++ b/roles/web_server/molecule/default/prepare.yml @@ -27,6 +27,10 @@ fqdn: parameters-mandatory-bullseye - name: parameters-optional-bullseye_https fqdn: parameters-optional-bullseye + - name: parameters-mandatory-bookworm_https + fqdn: parameters-mandatory-bookworm + - name: parameters-optional-bookworm_https + fqdn: parameters-optional-bookworm - name: Set-up link to generated X.509 material file: @@ -59,6 +63,28 @@ - nmap state: present +- hosts: bookworm + become: true + tasks: + + - name: Enable TLSv1.0+ in global OpenSSL configuration file in order to be able to test the web_server_tls_protocols parameter + blockinfile: + path: "/etc/ssl/openssl.cnf" + block: | + [openssl_init] + ssl_conf = ssl_sect + + [ssl_sect] + system_default = system_default_sect + + [system_default_sect] + MinProtocol = TLSv1.1 + CipherString = DEFAULT@SECLEVEL=0 + owner: root + group: root + mode: 0644 + state: present + - hosts: all become: true tasks: @@ -76,6 +102,8 @@ 192.168.56.11: "client" 192.168.56.31: "parameters-mandatory-bullseye" 192.168.56.32: "parameters-optional-bullseye" + 192.168.56.21: "parameters-mandatory-bookworm" + 192.168.56.22: "parameters-optional-bookworm" - name: Install curl for testing redirects and webpage content apt: diff --git a/roles/web_server/molecule/default/tests/conftest.py b/roles/web_server/molecule/default/tests/conftest.py index fb51c74bd837d920c5bfe479e10fb7f432fae458..928ed6d9ecbf67d92de6532082033f4eac0234a4 100644 --- a/roles/web_server/molecule/default/tests/conftest.py +++ b/roles/web_server/molecule/default/tests/conftest.py @@ -29,6 +29,8 @@ def php_info(host): if ansible_distribution_release == 'bullseye': info = PHPInfo(fpm_package='php-fpm', fpm_service='php7.4-fpm', base_config_dir='/etc/php/7.4') + elif ansible_distribution_release == 'bookworm': + info = PHPInfo(fpm_package='php-fpm', fpm_service='php8.2-fpm', base_config_dir='/etc/php/8.2') else: raise Exception('The php_info pytest fixture does not support Debian release: %s' % ansible_distribution_release)