* ``wsgi_website`` role

  * Parameters ``gunicorn_version`` and ``futures_version`` have been

    deprecated and removed. Existing roles should be updated to

    utilise the ``wsgi_requirements`` parameter instead.

  * Added parameter ``wsgi_requirements_in`` for listing top-level

    packages for performing pip requirements upgrade checks for

    Gunicorn requirements (listed via existing ``wsgi_requirements``

    parameter).

* ``xmpp_server`` role

* Deploys the HTTPS TLS private key and certificate (for website vhost).

* Configures nginx to serve the website (static files served directly, requests

  passed on to Gunicorn).

The role is implemented with the following layout/logic in mind:

* Website users are named after the ``FQDN`` (fully qualified domain name) of

  website, in format of ``web-ESCAPEDFQDN``, where ``ESCAPEDFQDN`` is equal to

  ``FQDN`` where dots have been replaced by underscores (for example,

  ``web-wiki_example_com``).

* Website users are set-up via GECOS field to have their umask set to ``0007``

  (in combination with ``pam_umask``).

    Configuration option.

**admin_uid** (integer, optional, ``whatever OS picks``)

  UID of the dedicated website administrator user. The user will be member of

  website group.

**environment_indicator** (dictionary, optional, ``null``)

  Specify configuration for including environment indicator on all HTML

  pages. Indicator is a simple strip at bottom of a page with custom background

  colour, text colour, and text.

  Specifying environment indicator is useful for avoiding mistakes when testing

---

additional_nginx_config: {}

packages: []

rewrites: []

static_locations: []

use_paste: false

virtualenv_packages: []

environment_variables: {}

      https_tls_certificate: "{{ lookup('file', 'tests/data/x509/server/parameters-optional.local_https.cert.pem') }}"

      https_tls_key: "{{ lookup('file', 'tests/data/x509/server/parameters-optional.local_https.key.pem') }}"

      additional_nginx_config:

        - comment: Custom missing page.

          value: error_page 404 /my/own/error/page;

      admin_uid: 5000

      environment_indicator:

        background_colour: "#ff0000"

        text_colour: "#00ff00"

        text: "parameters-optional"

      environment_variables:

        MY_ENV_VAR: "My environment variable"

        assert requirements.user == 'admin-%s' % fqdn.replace(".", "_")

        assert requirements.group == 'web-%s' % fqdn.replace(".", "_")

        assert requirements.mode == 0o640

        install_requirements = requirements.content_string.strip().split("\n")

        assert install_requirements == expected_requirements

testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(

    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-mandatory')

def test_index_page(host):

    """

    Tests if index page is served correctly. This covers:

    - Basic WSGI application operation.

    - Handling of environment variables.

    """

    assert host.package('libmariadbclient-dev-compat').is_installed

    assert host.package('global').is_installed

def test_index_page(host):

    """

    Tests if index page is served correctly. This covers:

    - Basic WSGI application operation.

    - Handling of environment variables.

server {

    # HTTP (plaintext) configuration.

    listen 80;

    server_name {{ fqdn }};

    # Redirect plaintext connections to HTTPS

    return 301 https://$host$request_uri;

}

server {

    # Base settings.

    root {{ home }}/htdocs/;

    server_name {{ fqdn }};

    # HTTPS (TLS) configuration.

    listen 443 ssl;

    listen [::]:443 ssl;

    ssl_certificate_key /etc/ssl/private/{{ fqdn }}_https.key;

    ssl_certificate /etc/ssl/certs/{{ fqdn }}_https.pem;

    # Set-up HSTS header for preventing downgrades for users that visited the

    # site via HTTPS at least once.

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

    {% for config in additional_nginx_config -%}

    # {{ config.comment }}

    {{ config.value }}

    {% endfor -%}