TLS ciphers to enable on the web server. This should be an OpenSSL-compatible

  cipher specification. Value should be compatible with Nginx configuration

  option ``ssl_ciphers``. Default value allows only TLSv1.2 and strong PFS

  ciphers with RSA private keys.

Distribution compatibility

~~~~~~~~~~~~~~~~~~~~~~~~~~

Role is compatible with the following distributions:

- Debian 9 (Stretch)

Examples

~~~~~~~~

Here is an example configuration for setting-up web server:

.. code-block:: yaml

  ---

  default_https_tls_key: "{{ lookup('file', inventory_dir + '/tls/web.example.com_https.key') }}"

web_server_tls_protocols:

  - "TLSv1.2"

web_server_tls_ciphers: "\

DHE-RSA-AES128-GCM-SHA256:\

DHE-RSA-AES256-GCM-SHA384:\

DHE-RSA-CHACHA20-POLY1305:\

ECDHE-RSA-AES128-GCM-SHA256:\

ECDHE-RSA-AES256-GCM-SHA384:\

ECDHE-RSA-CHACHA20-POLY1305:\

!aNULL:!MD5:!EXPORT"

# Internal parameters

php_fpm_package_name: "php-fpm"

dependencies:

  - common

galaxy_info:

  author: Branko Majic

  description: Sets-up generic web server

  license: BSD

  min_ansible_version: 2.9

  platforms:

    - name: Debian

      versions:

        - 9

    groups:

      - parameters-optional

      - stretch

    box: debian/contrib-stretch64

    memory: 512

    cpus: 1

    interfaces:

      - auto_config: true

        ip: 10.31.127.33

        network_name: private_network

        type: static

provisioner:

  name: ansible

  playbooks:

    cleanup: cleanup.yml

  config_options:

    defaults:

      force_valid_group_names: "ignore"

      interpreter_python: "/usr/bin/python3"

    ssh_connection:

      pipelining: "True"

  lint:

    name: ansible-lint

        chdir: "tests/data/"

        creates: ".gimmecert/server/{{ item.name }}.cert.pem"

        argv:

          - "gimmecert"

          - "server"

          - "{{ item.name }}"

          - "{{ item.fqdn }}"

      with_items:

        - name: parameters-mandatory-stretch64_https

          fqdn: parameters-mandatory

        - name: parameters-optional-stretch64_https

          fqdn: parameters-optional

    - name: Set-up link to generated X.509 material

      file:

        src: ".gimmecert"

        dest: "tests/data/x509"

        state: link

- name: Prepare

  hosts: all

  gather_facts: false

  tasks:

    - name: Install python for Ansible

        mode: 0644

        state: present

      with_dict:

        10.31.127.21: "client1"

        10.31.127.32: "parameters-mandatory"

        10.31.127.33: "parameters-optional"

    - name: Install curl for testing redirects and webpage content

      apt:

        name: curl

        state: present

- hosts: client

  become: true

  tasks:

    - name: Install tool for testing TCP connectivity

      apt:

        name: hping3

        state: present

    - name: Install console-based web browser for interactive testing

      apt:

        name: lynx

from collections import namedtuple

import pytest

@pytest.fixture

def php_info(host):

    """

    Helper fixture used to define what the expected PHP-FPM package

    name, PHP-FPM service name, and PHP base configuration directory

    is based on Debian release.

    Resulting information can be accessed through returned named tuple

    with the following properties:

    - fpm_package (name of the PHP-FPM package)

    - fpm_service (name of the PHP-FPM system service)

    - base_config_dir (base configuration directory for PHP)

    """

    PHPInfo = namedtuple('PHPInfo', 'fpm_package fpm_service base_config_dir')

    ansible_facts = host.ansible("setup")["ansible_facts"]

    ansible_distribution_release = ansible_facts['ansible_distribution_release']

    if ansible_distribution_release == 'stretch':

        info = PHPInfo(fpm_package='php-fpm', fpm_service='php7.0-fpm', base_config_dir='/etc/php/7.0')

    else:

        raise Exception('The php_info pytest fixture does not support Debian release: %s' % ansible_distribution_release)

    return info

import os

import testinfra.utils.ansible_runner

testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(

    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-*')

def test_installed_packages(host, php_info):

    """

    Tests if the required packages have been installed.

    """

    assert host.package('nginx').is_installed

    assert host.package('python-setuptools').is_installed

    assert host.package('python3-setuptools').is_installed

    assert service.is_running

def test_sockets(host):

    """

    Tests if web server is listening on correct ports.

    """

    assert host.socket("tcp://80").is_listening

    assert host.socket("tcp://443").is_listening

    """

    """

    directory = host.file(socket_directory)

    assert directory.is_directory

    assert directory.user == 'root'

    assert directory.group == 'www-data'

    assert directory.mode == 0o750

    config = host.file(tmpfiles_d_path)

    assert config.is_file

    assert config.user == 'root'

    assert config.group == 'root'

    assert config.mode == 0o644