majic-ansible-roles Changeset

Changeset - ab20d5b216c4

Parent rev.

Child rev.

[Not reviewed]

0 6 0

Branko Majic (branko) - 2 months ago 2024-02-28 00:40:37
branko@majic.rs

MAR-192: Added support for Debian 12 Bookworm to web_server role:

- Some tweaks had to be done to test the TLS, but it would be useful
to revisit the TLS configuration in general in the future, and to
modernise it for TLSv1.2 and TLSv1.3, especially once the supports
for Debian 11 Bullseye is dropped.

6 files changed with 65 insertions and 1 deletions:

docs/rolereference.rst

roles/web_server/defaults/main.yml

roles/web_server/meta/main.yml

roles/web_server/molecule/default/molecule.yml

roles/web_server/molecule/default/prepare.yml

roles/web_server/molecule/default/tests/conftest.py

0 comments (0 inline, 0 general)

docs/rolereference.rst

➞

Show inline comments

@@ @@ -1503,6 +1503,7 @@ Distribution compatibility @@
 Role is compatible with the following distributions:
 - Debian 11 (Bullseye)
 - Debian 12 (Bookworm)
 Examples

roles/web_server/defaults/main.yml

➞

Show inline comments

@@ @@ -18,9 +18,11 @@ ECDHE-RSA-CHACHA20-POLY1305:\ @@
 # Internal parameters
 php_fpm_service_name_per_release:
   bullseye: "php7.4-fpm"
   bookworm: "php8.2-fpm"
 php_base_config_dir_per_release:
   bullseye: "/etc/php/7.4"
   bookworm: "/etc/php/8.2"
 php_fpm_package_name: "php-fpm"
 php_fpm_service_name: "{{ php_fpm_service_name_per_release[ansible_distribution_release] }}"

roles/web_server/meta/main.yml

➞

Show inline comments

@@ @@ -12,3 +12,4 @@ galaxy_info: @@
     - name: Debian
       versions:
         - 11
         - 12

roles/web_server/molecule/default/molecule.yml

➞

Show inline comments

@@ @@ -15,7 +15,7 @@ lint: @@
 platforms:
   - name: client
-    box: debian/bullseye64
+    box: debian/bookworm64
     memory: 256
     cpus: 1
     provider_raw_config_args:
@@ @@ -56,6 +56,36 @@ platforms: @@
         network_name: private_network
         type: static
   - name: parameters-mandatory-bookworm
     groups:
       - parameters-mandatory
       - bookworm
     box: debian/bookworm64
     memory: 512
     cpus: 1
     provider_raw_config_args:
       - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']"
     interfaces:
       - auto_config: true
         ip: 192.168.56.21
         network_name: private_network
         type: static
   - name: parameters-optional-bookworm
     groups:
       - parameters-optional
       - bookworm
     box: debian/bookworm64
     memory: 512
     cpus: 1
     provider_raw_config_args:
       - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']"
     interfaces:
       - auto_config: true
         ip: 192.168.56.22
         network_name: private_network
         type: static
 provisioner:
   name: ansible
   playbooks:

roles/web_server/molecule/default/prepare.yml

➞

Show inline comments

@@ @@ -27,6 +27,10 @@ @@
           fqdn: parameters-mandatory-bullseye
         - name: parameters-optional-bullseye_https
           fqdn: parameters-optional-bullseye
         - name: parameters-mandatory-bookworm_https
           fqdn: parameters-mandatory-bookworm
         - name: parameters-optional-bookworm_https
           fqdn: parameters-optional-bookworm
     - name: Set-up link to generated X.509 material
       file:
@@ @@ -59,6 +63,28 @@ @@
           - nmap
         state: present
 - hosts: bookworm
   become: true
   tasks:
     - name: Enable TLSv1.0+ in global OpenSSL configuration file in order to be able to test the web_server_tls_protocols parameter
       blockinfile:
         path: "/etc/ssl/openssl.cnf"
         block: |
           [openssl_init]
           ssl_conf = ssl_sect
           [ssl_sect]
           system_default = system_default_sect
           [system_default_sect]
           MinProtocol = TLSv1.1
           CipherString = DEFAULT@SECLEVEL=0
         owner: root
         group: root
         mode: 0644
         state: present
 - hosts: all
   become: true
   tasks:
@@ @@ -76,6 +102,8 @@ @@
 .168.56.11: "client"
 .168.56.31: "parameters-mandatory-bullseye"
 .168.56.32: "parameters-optional-bullseye"
 .168.56.21: "parameters-mandatory-bookworm"
 .168.56.22: "parameters-optional-bookworm"
     - name: Install curl for testing redirects and webpage content
       apt:

roles/web_server/molecule/default/tests/conftest.py

➞

Show inline comments

@@ @@ -29,6 +29,8 @@ def php_info(host): @@
     if ansible_distribution_release == 'bullseye':
         info = PHPInfo(fpm_package='php-fpm', fpm_service='php7.4-fpm', base_config_dir='/etc/php/7.4')
     elif ansible_distribution_release == 'bookworm':
         info = PHPInfo(fpm_package='php-fpm', fpm_service='php8.2-fpm', base_config_dir='/etc/php/8.2')
     else:
         raise Exception('The php_info pytest fixture does not support Debian release: %s' % ansible_distribution_release)

0 comments (0 inline, 0 general)