---

backup_patterns_filename: "test"

# backup_client role parameters.

backup_encryption_key: "{{ lookup('file', 'tests/data/gnupg/parameters-mandatory.asc') }}"

backup_server: 10.31.127.10

backup_server_host_ssh_public_keys:

  - "{{ lookup('file', 'tests/data/ssh/server_rsa.pub') }}"

  - "{{ lookup('file', 'tests/data/ssh/server_ed25519.pub') }}"

  - "{{ lookup('file', 'tests/data/ssh/server_ecdsa.pub') }}"

---

backup_patterns_filename: "test"

backup_patterns:

  - /etc/hosts

  - /etc/ethers

  - /var/log

# backup_client role parameters.

backup_encryption_key: "{{ lookup('file', 'tests/data/gnupg/parameters-optional.asc') }}"

backup_server: 10.31.127.10

backup_server_host_ssh_public_keys:

  - "{{ lookup('file', 'tests/data/ssh/server_rsa.pub') }}"

  - "{{ lookup('file', 'tests/data/ssh/server_ed25519.pub') }}"

  - "{{ lookup('file', 'tests/data/ssh/server_ecdsa.pub') }}"

---

backup_encryption_key: "{{ lookup('file', 'tests/data/gnupg/parameters-mandatory.asc') }}"

backup_server: 192.168.56.10

backup_server_host_ssh_public_keys:

  - "{{ lookup('file', 'tests/data/ssh/server_rsa.pub') }}"

  - "{{ lookup('file', 'tests/data/ssh/server_ed25519.pub') }}"

  - "{{ lookup('file', 'tests/data/ssh/server_ecdsa.pub') }}"

---

backup_additional_encryption_keys:

  - "{{ lookup('file', 'tests/data/gnupg/additional_encryption_key_1.asc') }}"

  - "{{ lookup('file', 'tests/data/gnupg/additional_encryption_key_2.asc') }}"

  - "{{ lookup('file', 'tests/data/gnupg/additional_encryption_key_3.asc') }}"

backup_client_username: backupuser

backup_encryption_key: "{{ lookup('file', 'tests/data/gnupg/parameters-optional.asc') }}"

backup_server: 192.168.56.10

backup_server_destination: "/duplicity/{{ inventory_hostname }}"

backup_server_host_ssh_public_keys:

  - "{{ lookup('file', 'tests/data/ssh/server_rsa.pub') }}"

  - "{{ lookup('file', 'tests/data/ssh/server_ed25519.pub') }}"

  - "{{ lookup('file', 'tests/data/ssh/server_ecdsa.pub') }}"

backup_server_port: 3333

---

db_name: testdb

db_password: testdbpassword

enable_backup: true

# backup_client

backup_client_username: "bak-localhost"

backup_encryption_key: "{{ lookup('file', 'tests/data/gnupg/parameters-optional.asc') }}"

backup_server: localhost

backup_server_host_ssh_public_keys:

  - "{{ lookup('file', 'tests/data/ssh/server_rsa.pub') }}"

  - "{{ lookup('file', 'tests/data/ssh/server_ed25519.pub') }}"

  - "{{ lookup('file', 'tests/data/ssh/server_ecdsa.pub') }}"

ldap_server_organization: "Example"

ldap_server_log_level: 0

ldap_server_ssf: 0

ldap_tls_ciphers: "NONE:+VERS-TLS1.1:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:\

+SIGN-RSA-SHA512:+DHE-RSA:+ECDHE-RSA:+SHA1:+SHA256:+SHA384:+AEAD:+AES-128-GCM:+AES-128-CBC:+AES-256-GCM:+AES-256-CBC:+CURVE-ALL"

# ldap_client

ldap_client_config:

  - comment: CA truststore

    option: TLS_CACERT

    value: /etc/ssl/certs/testca.cert.pem

  - comment: Ensure TLS is enforced

    option: TLS_REQCERT

    value: demand

# backup_client

enable_backup: true

backup_client_username: "bak-localhost"

backup_encryption_key: "{{ lookup('file', 'tests/data/gnupg/parameters-optional.asc') }}"

backup_server: localhost

backup_server_host_ssh_public_keys:

  - "{{ lookup('file', 'tests/data/ssh/server_rsa.pub') }}"

  - "{{ lookup('file', 'tests/data/ssh/server_ed25519.pub') }}"

  - "{{ lookup('file', 'tests/data/ssh/server_ecdsa.pub') }}"

smtp_allow_relay_from:

  - "{{ release_based_smtp_allow_relay_from[ansible_distribution_release] }}"

mail_message_size_limit: 20480001

mail_server_smtp_additional_configuration: |

  mail_name = MySMTP

  smtp_skip_5xx_greeting = no

# Variables dependant on distribution release.

release_based_smtp_allow_relay_from:

  bookworm: "192.168.56.21"

# common

ca_certificates:

  testca: "{{ lookup('file', 'tests/data/x509/ca/level1.cert.pem') }}"

# backup_client

enable_backup: true

backup_client_username: "bak-param-optional-{{ ansible_distribution_release }}"

backup_encryption_key: "{{ lookup('file', 'tests/data/gnupg/parameters-optional.asc') }}"

backup_server: ldap-server

backup_server_host_ssh_public_keys:

  - "{{ lookup('file', 'tests/data/ssh/server_rsa.pub') }}"

  - "{{ lookup('file', 'tests/data/ssh/server_ed25519.pub') }}"

  - "{{ lookup('file', 'tests/data/ssh/server_ecdsa.pub') }}"

---

- name: Set-up fixtures

  hosts: localhost

  connection: local

  gather_facts: false

  tasks:

    - name: Initialise CA hierarchy

      command: "gimmecert init"

      args:

        creates: ".gimmecert/ca/level1.cert.pem"

        chdir: "tests/data/"

    - name: Generate server private keys and certificates

      command:

      args:

        chdir: "tests/data/"

        creates: ".gimmecert/server/{{ item.name }}.cert.pem"

        argv:

          - "gimmecert"

          - "server"

          - "{{ item.name }}"

          - "{{ item.fqdn }}"

      with_items:

        - name: clamav-database_https

          fqdn: database.clamav.net

        - name: ldap-server_ldap

          fqdn: ldap-server

        - name: parameters-mandatory-bookworm_imap

          fqdn: parameters-mandatory-bookworm

        - name: parameters-mandatory-bookworm_smtp

          fqdn: parameters-mandatory-bookworm

        - name: parameters-optional-bookworm_imap

          fqdn: parameters-optional-bookworm

        - name: parameters-optional-bookworm_smtp

          fqdn: parameters-optional-bookworm

    - name: Set-up link to generated X.509 material

      file:

        src: ".gimmecert"

        dest: "tests/data/x509"

        state: link

- name: Prepare

  hosts: all

  gather_facts: false

    validate: "/usr/local/bin/nginx_verify_site.sh -n '{{ fqdn }}' %s"

  notify:

    - Restart nginx

- name: Enable nginx website

  file:

    src: "/etc/nginx/sites-available/{{ fqdn }}"

    dest: "/etc/nginx/sites-enabled/{{ fqdn }}"

    state: link

  notify:

    - Restart nginx

- name: Set-up empty list of WSGI services to restart

  set_fact:

    wsgi_services_to_restart: []

  when: "wsgi_services_to_restart is not defined"

  tags:

    - handlers

- name: Add service to list of WSGI services to restart  # noqa 503

  # [503] Tasks that run when changed should likely be handlers

  #   This specific task is used in order to work around inability of Ansible

  #   to provide properly parametrised handlers for reusable roles.

  set_fact:

  when: |

    fqdn not in wsgi_services_to_restart and

    ((install_extra_packages is defined and install_extra_packages.changed) or

    (install_additional_packages_in_virtualenv is defined and install_additional_packages_in_virtualenv.changed) or

    (deploy_systemd_socket_configuration is defined and deploy_systemd_socket_configuration.changed) or

    (deploy_systemd_service_configuration is defined and deploy_systemd_service_configuration.changed) or

    (install_gunicorn_via_requirements is defined and install_gunicorn_via_requirements.changed) or

    (run_handlers | default(False) | bool()))

  tags:

    - handlers

- name: Explicitly run all handlers

  include_tasks: ../handlers/main.yml

  when: "run_handlers | default(False) | bool()"

  tags:

    - handlers

xmpp_ldap_base_dn: dc=local

xmpp_ldap_password: prosodypassword

xmpp_ldap_server: ldap-server

xmpp_server_archive_expiration: "1w"

xmpp_tls_certificate: "{{ lookup('file', 'tests/data/x509/server/{{ inventory_hostname }}_xmpp.cert.pem') }}"

xmpp_tls_key: "{{ lookup('file', 'tests/data/x509/server/{{ inventory_hostname }}_xmpp.key.pem') }}"

xmpp_server_tls_protocol: "tlsv1+"

xmpp_server_tls_ciphers: "DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:\

DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:\

ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:!aNULL:!MD5:!EXPORT"

# common

ca_certificates:

  testca: "{{ lookup('file', 'tests/data/x509/ca/level1.cert.pem') }}"

# backup_client

enable_backup: true

backup_client_username: "bak-parameters-optional-{{ ansible_distribution_release }}"

backup_encryption_key: "{{ lookup('file', 'tests/data/gnupg/parameters-optional.asc') }}"

backup_server: backup-server

backup_server_host_ssh_public_keys:

  - "{{ lookup('file', 'tests/data/ssh/server_rsa.pub') }}"

  - "{{ lookup('file', 'tests/data/ssh/server_ed25519.pub') }}"

  - "{{ lookup('file', 'tests/data/ssh/server_ecdsa.pub') }}"