---

  become: true

  roles:

    - backup

---

  become: true

  roles:

    - backup_client

# Deploy a dummy pre-backup script for testing purposes.

  become: true

  tasks:

    - name: Deploy pre-backup script

      copy:

        src: tests/data/10-test-pre-backup.sh

        dest: /etc/duply/main/pre.d/10-test-pre-backup.sh

        owner: root

        group: root

        mode: 0700

---

  become: true

  roles:

    - backup_server

---

  become: true

  roles:

    - bootstrap

---

  become: true

  roles:

    - common

  become: true

  tasks:

    - name: Set-up directories for testing pip requirements upgrade checks script

      file:

        path: "{{ item }}"

        state: directory

        owner: root

        group: pipreqcheck

        mode: 0750

      with_items:

        - "/tmp/pip_check_requirements_upgrades"

        - "/tmp/pip_check_requirements_upgrades/with_updates"

        - "/tmp/pip_check_requirements_upgrades/without_updates"

    - name: Deploy files for testing pip requirements upgrade checks script

      copy:

        src: "{{ item }}"

        dest: "/tmp/{{ item }}"

        owner: root

        group: pipreqcheck

        mode: 0640

        directory_mode: 0750

      with_items:

        - "pip_check_requirements_upgrades/with_updates/requirements.in"

        - "pip_check_requirements_upgrades/with_updates/requirements.txt"

        - "pip_check_requirements_upgrades/without_updates/requirements.in"

        - "pip_check_requirements_upgrades/without_updates/requirements.txt"

    - name: Install web server for testing connectivity

      apt:

        name: nginx

        state: present

    - name: Deploy firewall configuration file for the web server

      copy:

        src: ferm_http.conf

        dest: /etc/ferm/conf.d/99-http.conf

        owner: root

        group: root

        mode: 0640

      notify:

        - Restart ferm

  handlers:

    - name: Restart ferm

      service:

        name: ferm

        state: restarted

---

  become: true

  roles:

    - database

---

  become: true

  roles:

    - database_server

---

  become: true

  roles:

    - ldap_client

---

  become: true

  roles:

    - ldap_server

---

  become: true

  roles:

    - mail_forwarder

---

  become: true

  roles:

    - mail_server

---

  become: true

  vars:

    # common

    ca_certificates:

      testca: "{{ lookup('file', 'tests/data/x509/ca/level1.cert.pem') }}"

    # web_server

    default_https_tls_certificate: "{{ lookup('file', 'tests/data/x509/server/php-website_https.cert.pem') }}"

    default_https_tls_key: "{{ lookup('file', 'tests/data/x509/server/php-website_https.key.pem') }}"

  roles:

    - role: php_website

      fqdn: parameters-mandatory

      https_tls_certificate: "{{ lookup('file', 'tests/data/x509/server/parameters-mandatory_https.cert.pem') }}"

      https_tls_key: "{{ lookup('file', 'tests/data/x509/server/parameters-mandatory_https.key.pem') }}"

    - role: php_website

      additional_fpm_config:

        "env[PATH]": "\"/usr/local/bin:/usr/bin:/bin\""

        "security.limit_extensions": ".php .myphp"

      additional_nginx_config:

        - comment: Custom missing page.

          value: error_page 404 /404.myphp;

      admin_uid: 5000

      deny_files_regex:

        - '^/secretfile.txt'

      environment_indicator:

        background_colour: "#ff0000"

        text_colour: "#00ff00"

        text: "parameters-optional"

      fqdn: parameters-optional.local

      index: myindex.php

      https_tls_certificate: "{{ lookup('file', 'tests/data/x509/server/parameters-optional_https.cert.pem') }}"

      https_tls_key: "{{ lookup('file', 'tests/data/x509/server/parameters-optional_https.key.pem') }}"

      php_file_regex: "\\.myphp$"

      php_rewrite_urls:

        - ^/rewrite1/(.*)$ /rewrite.myphp?url=$1 last

        - ^/rewrite2/(.*)$ /rewrite.myphp?url=$1 last

      http_header_overrides:

        Accept-Encoding: 'donotencode'

      rewrites:

        - '^/rewrite_to_index1/(.*) /myindex.php last'

        - '^/rewrite_to_index2/(.*) /myindex.php last'

      packages:

        - "php-ldap"

        - "php-json"

      uid: 5001

      website_mail_recipients: user

  become: true

  tasks:

    # parameters-mandatory application

    - name: Set-up directory where PHP files are hosted at

      file:

        path: /var/www/parameters-mandatory/htdocs

        state: directory

        owner: admin-parameters-mandatory

        group: web-parameters-mandatory

        mode: 0750

    - name: Deploy a couple of PHP pages for testing purposes

      copy:

        src: "tests/data/php/mandatory/{{ item }}"

        dest: "/var/www/parameters-mandatory/htdocs/{{ item }}"

        owner: admin-parameters-mandatory

        group: web-parameters-mandatory

        mode: 0640

      with_items:

        - index.php

        - index.php3

    # parameters-optional application

    - name: Set-up directory where PHP files are hosted at

      file:

        path: /var/www/parameters-optional.local/htdocs

        state: directory

        owner: admin-parameters-optional_local

        group: web-parameters-optional_local

        mode: 0750

    - name: Deploy a couple of PHP pages for testing purposes

      copy:

        src: "tests/data/php/optional/{{ item }}"

        dest: "/var/www/parameters-optional.local/htdocs/{{ item }}"

        owner: admin-parameters-optional_local

        group: web-parameters-optional_local

        mode: 0640

      with_items:

        - myindex.php

        - myindex.myphp

        - path.myphp

        - secretfile.txt

        - info.myphp

        - 404.myphp

        - rewrite.myphp

        - headers.myphp

---

  roles:

    - preseed

---

  become: true

  roles:

    - web_server

---

  become: true

  vars:

    # common

    ca_certificates:

      testca: "{{ lookup('file', 'tests/data/x509/ca/level1.cert.pem') }}"

    # web_server

    default_https_tls_certificate: "{{ lookup('file', 'tests/data/x509/server/wsgi-website_https.cert.pem') }}"

    default_https_tls_key: "{{ lookup('file', 'tests/data/x509/server/wsgi-website_https.key.pem') }}"

  roles:

    - role: wsgi_website

      fqdn: parameters-mandatory

      https_tls_certificate: "{{ lookup('file', 'tests/data/x509/server/parameters-mandatory_https.cert.pem') }}"

      https_tls_key: "{{ lookup('file', 'tests/data/x509/server/parameters-mandatory_https.key.pem') }}"

      wsgi_application: testapp:application

    - role: wsgi_website

      fqdn: parameters-optional.local

      https_tls_certificate: "{{ lookup('file', 'tests/data/x509/server/parameters-optional.local_https.cert.pem') }}"

      https_tls_key: "{{ lookup('file', 'tests/data/x509/server/parameters-optional.local_https.key.pem') }}"

      additional_nginx_config:

        - comment: Custom missing page.

          value: error_page 404 /my/own/error/page;

      admin_uid: 5000

      environment_indicator:

        background_colour: "#ff0000"

        text_colour: "#00ff00"

        text: "parameters-optional"

      environment_variables:

        MY_ENV_VAR: "My environment variable"

      packages:

        - atftp

        - global

      http_header_overrides:

        Accept-Encoding: ""

      rewrites:

        - '^/rewrite1/(.*) /rewritten1/ last'

        - '^/rewrite2/(.*) /rewritten2/$1 last'

      static_locations:

        - /static/

        - /media/

      uid: 5001

      use_paste: false

      virtualenv_packages:

        # Main packages.

        - dnspython==2.6.1

        - prompt-toolkit==3.0.43

        - ptpython==3.0.26

        # Dependencies.

        - appdirs==1.4.4

        - jedi==0.19.1

        - parso==0.8.3

        - pygments==2.17.2

        - wcwidth==0.2.13

      website_mail_recipients: user

      wsgi_application: testapp:application

      wsgi_requirements:

        - gunicorn==21.1.0

        - packaging==23.2

      wsgi_requirements_in:

        - gunicorn

    - role: wsgi_website

      fqdn: parameters-paste-req

      use_paste: true

      virtualenv_packages:

        # Main packages.

        - Flask==3.0.2

        - Paste==3.7.1

        - PasteDeploy==3.1.0

        # Dependencies.

        - Jinja2==3.1.3

        - MarkupSafe==2.1.5

        - Werkzeug==3.0.1

        - blinker==1.7.0

        - click==8.1.7

        - importlib-metadata==7.0.1

        - itsdangerous==2.1.2

        - six==1.16.0

        - zipp==3.17.0

      wsgi_application: config.ini

      wsgi_requirements:

        - gunicorn==21.1.0

        - packaging==23.2

      https_tls_certificate: "{{ lookup('file', 'tests/data/x509/server/parameters-paste-req_https.cert.pem') }}"

      https_tls_key: "{{ lookup('file', 'tests/data/x509/server/parameters-paste-req_https.key.pem') }}"

  become: true

  tasks:

    # parameters-mandatory application

    - name: Set-up directories where application files are hosted at

      file:

        path: "/var/www/parameters-mandatory/{{ item }}"

        state: directory

        owner: admin-parameters-mandatory

        group: web-parameters-mandatory

        mode: 02750

      with_items:

        - htdocs/static

        - htdocs/media

        - code

    - name: Deploy WSGI application

      copy:

        src: "tests/data/python/wsgi/testapp.py"

        dest: "/var/www/parameters-mandatory/code/testapp.py"

        owner: admin-parameters-mandatory

        group: web-parameters-mandatory

        mode: 0640

      notify:

        - Restart parameters-mandatory

    - name: Deploy a static file

      copy:

        src: "tests/data/static_file.txt"

        dest: "/var/www/parameters-mandatory/htdocs/static/static_file.txt"

        owner: admin-parameters-mandatory

        group: web-parameters-mandatory

        mode: 0640

    - name: Deploy a media file

      copy:

        src: "tests/data/media_file.txt"

        dest: "/var/www/parameters-mandatory/htdocs/media/media_file.txt"

        owner: admin-parameters-mandatory

        group: web-parameters-mandatory

        mode: 0640

    # parameters-optional application

    - name: Set-up directories where application files are hosted at

      file:

        path: "/var/www/parameters-optional.local/{{ item }}"

        state: directory

        owner: admin-parameters-optional_local

        group: web-parameters-optional_local

        mode: 02750

      with_items:

        - htdocs/static

        - htdocs/media

        - code

    - name: Deploy WSGI application

      copy:

        src: "tests/data/python/wsgi/testapp.py"

        dest: "/var/www/parameters-optional.local/code/testapp.py"

        owner: admin-parameters-optional_local

        group: web-parameters-optional_local

        mode: 0640

      notify:

        - Restart parameters-optional.local

    - name: Deploy a static file

      copy:

        src: "tests/data/static_file.txt"

        dest: "/var/www/parameters-optional.local/htdocs/static/static_file.txt"

        owner: admin-parameters-optional_local

        group: web-parameters-optional_local

        mode: 0640

    - name: Deploy a media file

      copy:

        src: "tests/data/media_file.txt"

        dest: "/var/www/parameters-optional.local/htdocs/media/media_file.txt"

        owner: admin-parameters-optional_local

        group: web-parameters-optional_local

        mode: 0640

    # parameters-paste-req application

    - name: Set-up directories where application files are hosted at

      file:

        path: "/var/www/parameters-paste-req/{{ item }}"

        state: directory

        owner: admin-parameters-paste-req

        group: web-parameters-paste-req

        mode: 02750

      with_items:

        - htdocs/static

        - htdocs/media

        - code

    - name: Deploy WSGI application

      copy:

        src: "tests/data/python/paste/{{ item }}"

        dest: "/var/www/parameters-paste-req/code/{{ item }}"

        owner: admin-parameters-paste-req

        group: web-parameters-paste-req

        mode: 0640

      with_items:

        - config.ini

        - testapp.py

---

  become: true

  roles:

    - xmpp_server