- server: parameters-optional-bullseye

    ip: 192.168.56.52

    public_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}"

  # Debian 11 Bullseye

  # ================

  - name: client-bullseye

    groups:

      - clients

      - bullseye

    # Use Bookworm client box for testing Bullseye servers to avoid

    # duplication of test code in test_client.py due to missing

    # functional build of go-sendxmpp for the Bullseye release (glibc

    # mismatch in prebuilt package).

    box: debian/bookworm64

    memory: 256

    cpus: 1

    provider_raw_config_args:

      - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']"

    interfaces:

      - auto_config: true

        ip: 192.168.56.41

        network_name: private_network

        type: static

  - name: parameters-mandatory-bullseye

    groups:

      - parameters-mandatory

      - bullseye

    box: debian/bullseye64

    memory: 512

    cpus: 1

    provider_raw_config_args:

      - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']"

    interfaces:

      - auto_config: true

        ip: 192.168.56.51

        network_name: private_network

        type: static

  - name: parameters-optional-bullseye

    groups:

      - parameters-optional

      - bullseye

    box: debian/bullseye64

    memory: 512

    cpus: 1

    provider_raw_config_args:

      - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']"

    interfaces:

      - auto_config: true

        ip: 192.168.56.52

        network_name: private_network

        type: static

        - name: parameters-mandatory-bullseye_xmpp

          fqdn:

            - parameters-mandatory

            - domain1

            - proxy.domain1

            - conference.domain1

        - name: parameters-optional-bullseye_xmpp

          fqdn:

            - parameters-optional

            - domain2

            - proxy.domain2

            - conference.domain2

            - domain3

            - proxy.domain3

            - conference.domain3

- hosts: bullseye

  become: true

  tasks:

    - name: Enable TLSv1.0+ in global OpenSSL configuration file in order to be able to test the xmpp_server_tls_protocol parameter

      lineinfile:

        path: "/etc/ssl/openssl.cnf"

        regexp: "^MinProtocol ="

        line: "MinProtocol = TLSv1.0"

        owner: root

        group: root

        mode: 0644

        state: present

    - name: Set-up the hosts file

      lineinfile:

        path: /etc/hosts

        regexp: "^{{ item.key }}"

        line: "{{ item.key }} {{ item.value }}"

        owner: root

        group: root

        mode: 0644

        state: present

      with_dict:

        192.168.56.11: "ldap-server backup-server"

        192.168.56.41: "client-bullseye"

        192.168.56.51: "parameters-mandatory domain1 proxy.domain1 conference.domain1"

        192.168.56.52: "parameters-optional domain2 proxy.domain2 conference.domain2 domain3 proxy.domain3 conference.domain3"

        sendxmpp_package: "{% if ansible_distribution_release == 'bullseye' %}sendxmpp{% else %}go-sendxmpp{% endif %}"

    distribution_release = host.ansible("setup")["ansible_facts"]["ansible_distribution_release"]

    if distribution_release == "bullseye":

        send = host.run("echo '%s' | sendxmpp --tls-ca-path /usr/local/share/ca-certificates/testca.crt "

                        "-t -u jane.doe -p janepassword -j domain2:5222 mick.doe@domain3", message)

        assert send.rc == 0

    else:

        send = host.run("echo '%s' | go-sendxmpp --debug "

                        "--username jane.doe@domain2 --password janepassword --jserver domain3:5222 "

                        "mick.doe@domain3", message)

        assert send.rc == 0

    distribution_release = host.ansible("setup")["ansible_facts"]["ansible_distribution_release"]

    if distribution_release == "bullseye":

        expected_tls_versions = ["TLSv1.2"]

        expected_tls_ciphers = [

            "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",

            "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",

            "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",

            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",

            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",

            "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",

        ]

    else:

        expected_tls_versions = ["TLSv1.2", "TLSv1.3"]

        expected_tls_ciphers = [

            "TLS_AKE_WITH_AES_128_GCM_SHA256",

            "TLS_AKE_WITH_AES_256_GCM_SHA384",

            "TLS_AKE_WITH_CHACHA20_POLY1305_SHA256",

            "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",

            "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",

            "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",

            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",

            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",

            "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",

        ]

    distribution_release = host.ansible("setup")["ansible_facts"]["ansible_distribution_release"]

    if distribution_release == "bullseye":

        expected_tls_versions = ["TLSv1.0", "TLSv1.1", "TLSv1.2"]

        expected_tls_ciphers = [

            "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",

            "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",

            "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",

            "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",

            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",

            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",

            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",

            "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",

            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",

        ]

    else:

        expected_tls_versions = ["TLSv1.0", "TLSv1.1", "TLSv1.2", "TLSv1.3"]

        expected_tls_ciphers = [

            "TLS_AKE_WITH_AES_128_GCM_SHA256",

            "TLS_AKE_WITH_AES_256_GCM_SHA384",

            "TLS_AKE_WITH_CHACHA20_POLY1305_SHA256",

            "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",

            "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",

            "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",

            "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",

            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",

            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",

            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",

            "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",

            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",

        ]

- name: Drop package pins to backports for Prosody on Debian 11 Bullseye

  file:

    path: /etc/apt/preferences.d/prosody

    state: absent

  when: ansible_distribution_release == 'bullseye'

{% if ansible_distribution_release == "bullseye" %}

legacy_ssl_ssl = {

  protocol = "{{ xmpp_server_tls_protocol }}";

  ciphers = "{{ xmpp_server_tls_ciphers }}";

}

{% else %}

{% endif %}

{% if ansible_distribution_release == "bullseye" %}

legacy_ssl_ports = { 5223 }

{% else %}

{% endif %}