TLS ciphers to enable on the web server. This should be an OpenSSL-compatible

  cipher specification. Value should be compatible with Nginx configuration

  option ``ssl_ciphers``. Default value allows only TLSv1.2 and strong PFS

  ciphers with RSA private keys.

Distribution compatibility

~~~~~~~~~~~~~~~~~~~~~~~~~~

Role is compatible with the following distributions:

- Debian 11 (Bullseye)

Examples

~~~~~~~~

Here is an example configuration for setting-up web server:

.. code-block:: yaml

  ---

  default_https_tls_key: "{{ lookup('file', inventory_dir + '/tls/web.example.com_https.key') }}"

web_server_tls_ciphers: "\

DHE-RSA-AES128-GCM-SHA256:\

DHE-RSA-AES256-GCM-SHA384:\

DHE-RSA-CHACHA20-POLY1305:\

ECDHE-RSA-AES128-GCM-SHA256:\

ECDHE-RSA-AES256-GCM-SHA384:\

ECDHE-RSA-CHACHA20-POLY1305:\

!aNULL:!MD5:!EXPORT"

# Internal parameters

php_fpm_service_name_per_release:

  bullseye: "php7.4-fpm"

php_base_config_dir_per_release:

  bullseye: "/etc/php/7.4"

php_fpm_package_name: "php-fpm"

php_fpm_service_name: "{{ php_fpm_service_name_per_release[ansible_distribution_release] }}"

php_base_config_dir: "{{ php_base_config_dir_per_release[ansible_distribution_release] }}"

dependencies:

  - common

galaxy_info:

  author: Branko Majic

  description: Sets-up generic web server

  license: BSD

  min_ansible_version: 2.9

  platforms:

    - name: Debian

      versions:

        - 11

  name: vagrant

  provider:

    name: virtualbox

lint:

  name: yamllint

  options:

    config-file: ../../.yamllint.yml

platforms:

  - name: client

    memory: 256

    cpus: 1

    provider_raw_config_args:

      - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']"

    interfaces:

      - auto_config: true

        ip: 192.168.56.11

        network_name: private_network

        type: static

  - name: parameters-mandatory-bullseye

    groups:

      - bullseye

    box: debian/bullseye64

    memory: 512

    cpus: 1

    provider_raw_config_args:

      - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']"

    interfaces:

      - auto_config: true

        ip: 192.168.56.32

        network_name: private_network

        type: static

provisioner:

  name: ansible

  playbooks:

    cleanup: cleanup.yml

  config_options:

    defaults:

      force_valid_group_names: "ignore"

      interpreter_python: "/usr/bin/python3"

    ssh_connection:

      pipelining: "True"

  lint:

    name: ansible-lint

        chdir: "tests/data/"

        creates: ".gimmecert/server/{{ item.name }}.cert.pem"

        argv:

          - "gimmecert"

          - "server"

          - "{{ item.name }}"

          - "{{ item.fqdn }}"

      with_items:

        - name: parameters-mandatory-bullseye_https

          fqdn: parameters-mandatory-bullseye

        - name: parameters-optional-bullseye_https

          fqdn: parameters-optional-bullseye

    - name: Set-up link to generated X.509 material

      file:

        src: ".gimmecert"

        dest: "tests/data/x509"

        state: link

- name: Prepare

  hosts: all

  gather_facts: false

  tasks:

    - name: Install python for Ansible

    - name: Update all caches to avoid errors due to missing remote archives

      apt:

        update_cache: true

      changed_when: false

    - name: Install tools for testing

      apt:

        name:

          - gnutls-bin

          - nmap

        state: present

- hosts: all

  become: true

  tasks:

    - name: Set-up the hosts file

      lineinfile:

        path: /etc/hosts

        regexp: "^{{ item.key }}"

        line: "{{ item.key }} {{ item.value }}"

        owner: root

        group: root

        mode: 0644

        state: present

      with_dict:

        192.168.56.11: "client"

        192.168.56.31: "parameters-mandatory-bullseye"

        192.168.56.32: "parameters-optional-bullseye"

    - name: Install curl for testing redirects and webpage content

      apt:

        name: curl

        state: present

- hosts: client

  become: true

  tasks:

    - name: Install tool for testing TCP connectivity

      apt:

    - fpm_package (name of the PHP-FPM package)

    - fpm_service (name of the PHP-FPM system service)

    - base_config_dir (base configuration directory for PHP)

    """

    PHPInfo = namedtuple('PHPInfo', 'fpm_package fpm_service base_config_dir')

    ansible_facts = host.ansible("setup")["ansible_facts"]

    ansible_distribution_release = ansible_facts['ansible_distribution_release']

    if ansible_distribution_release == 'bullseye':

        info = PHPInfo(fpm_package='php-fpm', fpm_service='php7.4-fpm', base_config_dir='/etc/php/7.4')

    else:

        raise Exception('The php_info pytest fixture does not support Debian release: %s' % ansible_distribution_release)

    return info