bullseye: "192.168.56.41"

  - server: param-optional-bullseye

    ip: 192.168.56.52

    public_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}"

  # Debian 11 Bullseye

  # ================

  - name: client1-bullseye

    groups:

      - client

      - client-relay-allowed

      - bullseye

      - smtp-server-requiring-tls

    box: debian/bullseye64

    memory: 256

    cpus: 1

    provider_raw_config_args:

      - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']"

    interfaces:

      - auto_config: true

        ip: 192.168.56.41

        network_name: private_network

        type: static

  - name: client2-bullseye

    groups:

      - client

      - client-relay-forbidden

      - bullseye

      - smtp-server-refusing-tls

    box: debian/bullseye64

    memory: 256

    cpus: 1

    provider_raw_config_args:

      - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']"

    interfaces:

      - auto_config: true

        ip: 192.168.56.42

        network_name: private_network

        type: static

  - name: parameters-mandatory-bullseye

    groups:

      - parameters-mandatory

      - bullseye

    box: debian/bullseye64

    memory: 2048

    cpus: 1

    provider_raw_config_args:

      - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']"

    interfaces:

      - auto_config: true

        ip: 192.168.56.51

        network_name: private_network

        type: static

  - name: parameters-optional-bullseye

    groups:

      - parameters-optional

      - bullseye

    box: debian/bullseye64

    memory: 2048

    cpus: 1

    provider_raw_config_args:

      - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']"

    interfaces:

      - auto_config: true

        ip: 192.168.56.52

        network_name: private_network

        type: static

        - name: parameters-mandatory-bullseye_imap

          fqdn: parameters-mandatory-bullseye

        - name: parameters-mandatory-bullseye_smtp

          fqdn: parameters-mandatory-bullseye

        - name: parameters-optional-bullseye_imap

          fqdn: parameters-optional-bullseye

        - name: parameters-optional-bullseye_smtp

          fqdn: parameters-optional-bullseye

- hosts: bullseye

  become: true

  tasks:

    - name: Set-up the hosts file

      lineinfile:

        path: /etc/hosts

        regexp: "^{{ item.key }}"

        line: "{{ item.key }} {{ item.value }}"

        owner: root

        group: root

        mode: 0644

        state: present

      with_dict:

        # Force mail servers to use local ClamAV database mirror.

        192.168.56.11: "db.local.clamav.net database.clamav.net"

        192.168.56.12: "ldap-server backup-server"

        192.168.56.41: "client1 smtp-server-requiring-tls"

        192.168.56.42: "client2 smtp-server-refusing-tls"

        192.168.56.51: "parameters-mandatory parameters-mandatory-bullseye"

        192.168.56.52: "parameters-optional parameters-optional-bullseye"

    distribution_release = host.ansible("setup")["ansible_facts"]["ansible_distribution_release"]

    if distribution_release == "bullseye":

        expected_tls_versions = ["TLSv1.0", "TLSv1.1", "TLSv1.2"]

        expected_tls_ciphers = [

            'TLS_DHE_RSA_WITH_AES_128_CBC_SHA',

            'TLS_DHE_RSA_WITH_AES_128_CBC_SHA256',

            'TLS_DHE_RSA_WITH_AES_128_CCM',

            'TLS_DHE_RSA_WITH_AES_128_CCM_8',

            'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256',

            'TLS_DHE_RSA_WITH_AES_256_CBC_SHA',

            'TLS_DHE_RSA_WITH_AES_256_CBC_SHA256',

            'TLS_DHE_RSA_WITH_AES_256_CCM',

            'TLS_DHE_RSA_WITH_AES_256_CCM_8',

            'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384',

            'TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256',

            'TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384',

            'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA',

            'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256',

            'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA',

            'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256',

            'TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256',

            'TLS_DHE_RSA_WITH_SEED_CBC_SHA',

            'TLS_DH_anon_WITH_AES_128_CBC_SHA',

            'TLS_DH_anon_WITH_AES_128_CBC_SHA256',

            'TLS_DH_anon_WITH_AES_128_GCM_SHA256',

            'TLS_DH_anon_WITH_AES_256_CBC_SHA',

            'TLS_DH_anon_WITH_AES_256_CBC_SHA256',

            'TLS_DH_anon_WITH_AES_256_GCM_SHA384',

            'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA',

            'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256',

            'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA',

            'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256',

            'TLS_DH_anon_WITH_SEED_CBC_SHA',

            'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA',

            'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256',

            'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',

            'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',

            'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384',

            'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',

            'TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256',

            'TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384',

            'TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256',

            'TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384',

            'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256',

            'TLS_ECDH_anon_WITH_AES_128_CBC_SHA',

            'TLS_ECDH_anon_WITH_AES_256_CBC_SHA',

            'TLS_RSA_WITH_AES_128_CBC_SHA',

            'TLS_RSA_WITH_AES_128_CBC_SHA256',

            'TLS_RSA_WITH_AES_128_CCM',

            'TLS_RSA_WITH_AES_128_CCM_8',

            'TLS_RSA_WITH_AES_128_GCM_SHA256',

            'TLS_RSA_WITH_AES_256_CBC_SHA',

            'TLS_RSA_WITH_AES_256_CBC_SHA256',

            'TLS_RSA_WITH_AES_256_CCM',

            'TLS_RSA_WITH_AES_256_CCM_8',

            'TLS_RSA_WITH_AES_256_GCM_SHA384',

            'TLS_RSA_WITH_ARIA_128_GCM_SHA256',

            'TLS_RSA_WITH_ARIA_256_GCM_SHA384',

            'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA',

            'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256',

            'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA',

            'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256',

            'TLS_RSA_WITH_SEED_CBC_SHA',

        ]

    else:

        expected_tls_versions = ["TLSv1.0", "TLSv1.1", "TLSv1.2", "TLSv1.3"]

        expected_tls_ciphers = [

            'TLS_AKE_WITH_AES_128_GCM_SHA256',

            'TLS_AKE_WITH_AES_256_GCM_SHA384',

            'TLS_AKE_WITH_CHACHA20_POLY1305_SHA256',

            'TLS_DHE_RSA_WITH_AES_128_CBC_SHA',

            'TLS_DHE_RSA_WITH_AES_128_CBC_SHA256',

            'TLS_DHE_RSA_WITH_AES_128_CCM',

            'TLS_DHE_RSA_WITH_AES_128_CCM_8',

            'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256',

            'TLS_DHE_RSA_WITH_AES_256_CBC_SHA',

            'TLS_DHE_RSA_WITH_AES_256_CBC_SHA256',

            'TLS_DHE_RSA_WITH_AES_256_CCM',

            'TLS_DHE_RSA_WITH_AES_256_CCM_8',

            'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384',

            'TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256',

            'TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384',

            'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA',

            'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256',

            'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA',

            'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256',

            'TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256',

            'TLS_DH_anon_WITH_AES_128_CBC_SHA',

            'TLS_DH_anon_WITH_AES_128_CBC_SHA256',

            'TLS_DH_anon_WITH_AES_128_GCM_SHA256',

            'TLS_DH_anon_WITH_AES_256_CBC_SHA',

            'TLS_DH_anon_WITH_AES_256_CBC_SHA256',

            'TLS_DH_anon_WITH_AES_256_GCM_SHA384',

            'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA',

            'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256',

            'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA',

            'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256',

            'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA',

            'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256',

            'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',

            'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',

            'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384',

            'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',

            'TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256',

            'TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384',

            'TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256',

            'TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384',

            'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256',

            'TLS_ECDH_anon_WITH_AES_128_CBC_SHA',

            'TLS_ECDH_anon_WITH_AES_256_CBC_SHA',

            'TLS_RSA_WITH_AES_128_CBC_SHA',

            'TLS_RSA_WITH_AES_128_CBC_SHA256',

            'TLS_RSA_WITH_AES_128_CCM',

            'TLS_RSA_WITH_AES_128_CCM_8',

            'TLS_RSA_WITH_AES_128_GCM_SHA256',

            'TLS_RSA_WITH_AES_256_CBC_SHA',

            'TLS_RSA_WITH_AES_256_CBC_SHA256',

            'TLS_RSA_WITH_AES_256_CCM',

            'TLS_RSA_WITH_AES_256_CCM_8',

            'TLS_RSA_WITH_AES_256_GCM_SHA384',

            'TLS_RSA_WITH_ARIA_128_GCM_SHA256',

            'TLS_RSA_WITH_ARIA_256_GCM_SHA384',

            'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA',

            'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256',

            'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA',

            'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256',

        ]

    distribution_release = host.ansible("setup")["ansible_facts"]["ansible_distribution_release"]

    if distribution_release == "bullseye":

        expected_tls_versions = ["TLSv1.2"]

        expected_tls_ciphers = [

            "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",

            "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",

            "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",

            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",

            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",

            "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",

        ]

    else:

        expected_tls_versions = ["TLSv1.2", "TLSv1.3"]

        expected_tls_ciphers = [

            "TLS_AKE_WITH_AES_128_GCM_SHA256",

            "TLS_AKE_WITH_AES_256_GCM_SHA384",

            "TLS_AKE_WITH_CHACHA20_POLY1305_SHA256",

            "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",

            "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",

            "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",

            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",

            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",

            "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",

        ]

    distribution_release = host.ansible("setup")["ansible_facts"]["ansible_distribution_release"]

    if distribution_release == "bullseye":

        expected_tls_versions = ["TLSv1.1", "TLSv1.2"]

        expected_tls_ciphers = [

            "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",

            "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",

            "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",

            "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",

            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",

            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",

            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",

            "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",

            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",

        ]

    else:

        expected_tls_versions = ["TLSv1.1", "TLSv1.2", "TLSv1.3"]

        expected_tls_ciphers = [

            "TLS_AKE_WITH_AES_128_GCM_SHA256",

            "TLS_AKE_WITH_AES_256_GCM_SHA384",

            "TLS_AKE_WITH_CHACHA20_POLY1305_SHA256",

            "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",

            "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",

            "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",

            "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",

            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",

            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",

            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",

            "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",

            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",

        ]

{% if ansible_distribution_release != 'bullseye' %}

{% endif %}