* Updated default set of TLS ciphers used by IMAP/SMTP servers

    (``mail_server_tls_ciphers`` parameter). All CBC ciphers have been

    dropped. This could introduce incompatibility with older clients

    trying to connect to the IMAP/SMTP server.

* ``preseed`` role

  * Parameter ``ansible_key`` is now mandatory.

  * Parameter ``preseed_directory`` is now mandatory.

* Installs additional packages required for running the role (as configured).

* Deploys the HTTPS TLS private key and certificate (for website vhost).

* Configures PHP FPM and nginx to serve the website.

The role is implemented with the following layout/logic in mind:

* Website users are named after the ``FQDN`` (fully qualified domain name) of

  website, in format of ``web-ESCAPEDFQDN``, where ``ESCAPEDFQDN`` is equal to

  ``FQDN`` where dots have been replaced by underscores (for example,

  ``web-cloud_example_com``).

* Website users are set-up via GECOS field to have their umask set to ``0007``

  (in combination with ``pam_umask``).

  List of regular expressions for matching files/locations to which the web

  server should deny access. This is useful to block access to any sensitive

  files that should not be served directly by the web server. The format must be

  compatible with regular expressions used by ``nginx`` for ``location ~``

  syntax.

**environment_indicator** (dictionary, optional, ``null``)

  Specify configuration for including environment indicator on all HTML

  pages. Indicator is a simple strip at bottom of a page with custom background

  colour, text colour, and text.

  Specifying environment indicator is useful for avoiding mistakes when testing

dependency for a custom role. They do come with decent amount of batteries

included, and also play nice with the web server role.

As mentioned before, all roles will enforce TLS by default. The web server roles

will additionaly implement HSTS policy by sending connecting clients

``Strict-Transport-Security`` header with value set to ``max-age=31536000;

With all the above noted, let us finally move on to the next step.

Setting-up the web server

-------------------------

---

additional_nginx_config: {}

deny_files_regex: []

index: index.php

packages: []

php_file_regex: \.php$

php_rewrite_urls: []

rewrites: []

additional_fpm_config: {}

      additional_nginx_config:

        - comment: Custom missing page.

          value: error_page 404 /404.myphp;

      admin_uid: 5000

      deny_files_regex:

        - '^/secretfile.txt'

      environment_indicator:

        background_colour: "#ff0000"

        text_colour: "#00ff00"

        text: "parameters-optional"

      fqdn: parameters-optional.local

      index: myindex.php

import os

import testinfra.utils.ansible_runner

testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(

    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')

    config = host.file('/etc/nginx/sites-enabled/parameters-mandatory')

    assert config.is_symlink

    assert config.linked_to == '/etc/nginx/sites-available/parameters-mandatory'

def test_index_page(host):

    """

    Tests if index page is served correctly.

    """

    page = host.run('curl https://parameters-mandatory/')

    config = host.file('/etc/nginx/sites-enabled/parameters-optional.local')

    assert config.is_symlink

    assert config.linked_to == '/etc/nginx/sites-available/parameters-optional.local'

def test_index_page(host):

    """

    Tests if index page is served correctly (should be php file served statically).

    """

    page = host.run('curl https://parameters-optional.local/')

server {

    # HTTP (plaintext) configuration.

    listen 80;

    server_name {{ fqdn }};

    # Redirect plaintext connections to HTTPS

    return 301 https://$host$request_uri;

}

server {

    # Base settings.

    root {{ home }}/htdocs/;

    index {{ index }};

    server_name {{ fqdn }};

    # HTTPS (TLS) configuration.

    listen 443 ssl;

    listen [::]:443 ssl;

    ssl_certificate_key /etc/ssl/private/{{ fqdn }}_https.key;

    ssl_certificate /etc/ssl/certs/{{ fqdn }}_https.pem;

    # Set-up HSTS header for preventing downgrades for users that visited the

    # site via HTTPS at least once.

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

    {% for config in additional_nginx_config -%}

    # {{ config.comment }}

    {{ config.value }}

    {% endfor -%}

  - role: php_website

    fqdn: phpinfo.{{ testsite_domain }}

    php_rewrite_urls:

      - ^(.*) /index.php

    admin_uid: 3000

    uid: 2000

    https_tls_key: "{{ lookup('file', inventory_dir + '/tls/phpinfo.' + testsite_domain + '_https.key') }}"

    https_tls_certificate: "{{ lookup('file', inventory_dir + '/tls/phpinfo.' + testsite_domain + '_https.pem') }}"

    additional_fpm_config:

      "env[PATH]": "\"/usr/local/bin:/usr/bin:/bin\""

  - role: database

    db_name: phpinfo_{{ testsite_domain_underscores }}